cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1015
Views
0
Helpful
2
Replies

Ansible - Privilege Escalation

Netmart
Level 1
Level 1

Hello,

I wanted to add config changes to to Cisco IOS XE.

When on node also enable password is set up, how is Ansible able to access privilege level to add for example a loopback interface.

I found the following.

 

vars/ios.yml

ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.ios.ios
ansible_user: myuser
ansible_password: !vault...
ansible_become: true
ansible_become_method: enable
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"

However, I am wondering what the best practice is to get into Enable Mode ((Privilege Escalation).

 

Thanks,

Netmart

 

1 Accepted Solution

Accepted Solutions

Hi Marcel.

I chose the path of creating Vault file containing the encrypted password:

 

  vars_files:

         - /home/ciscoUser/Ansible/vault_password.yml

  vars:

      ansible_become_pass: "{{ vault_sudo_password }}"

      ansible_python_interpreter: /usr/bin/python3

 

Thanks,

Martin

 

 

View solution in original post

2 Replies 2

Marcel Zehnder
Spotlight
Spotlight

Hi Netmart

What you found is how it's done - regarding the enable password (and any other password) - best practice is using a vault encrypted password (like in your example) or get the password from an envioronment variable (in the example the enable password is stored in the variable EN_PASSWORD):

ansible_become: true
ansible_become_method: enable
ansible_become_password: "{{ lookup( ansible.builtin.env , EN_PASSWORD) }}"

 

Hi Marcel.

I chose the path of creating Vault file containing the encrypted password:

 

  vars_files:

         - /home/ciscoUser/Ansible/vault_password.yml

  vars:

      ansible_become_pass: "{{ vault_sudo_password }}"

      ansible_python_interpreter: /usr/bin/python3

 

Thanks,

Martin