Ansible + AWX – How to update a linux user password with encryption and password hash

Today we began working on that age old task of resetting our linux local accounts password and how to convert this task using ansible via AWX. It seemed very straightforward using the “User” module in Ansible to do this.

For our setup we use AWX which is an awesome platform to run and track ansible playbooks. AWX does have an input to create an encrypted text field to pass through AWX to the playbook; however when it actually executes on the target machine it then becomes an unencrypted string when setting this password. This is a problem for the obvious reason that the password is shown in plain text in the shadow file of the target server.

The approaches that the ansible docs mention in the user module just seemed a little tedious so we did some googling. There was a great blog post by Jian Jye we found in our search for encrypting this password input. This post points out a clever function right inside of the ansible modules called password_hash.

Essentially the playbook would look something like the below code with a simple pipe. Where “newpassword” serves as the input password variable from AWX.

- hosts: all
  become: yes
    - name: Change user password
        name: admin
        update_password: always
        password: "{{ newpassword|password_hash('sha512') }}"

Big Kudos to this Jian Jye in this post for making this such easy work.