Can't Access Switches Using the Password Encrypted by ansible-vault

[samuellay]

In my inventory, I have:

brocadeswitches:
  vars:
    brocade_user_name: xxxxxxxxx
    brocade_password: xxxxxxxxx
    asset_type: brocade_san_switch
  hosts:
    syn14b01fc001:
      asset_type: "{{ asset_type }}"
      credential:
        fos_ip_addr: xxx.xxx.xxx.xxx
        fos_user_name: "{{ brocade_user_name }}"
        fos_password: "{{ brocade_password }}"
        https: self

I can access the switches when the fos_password is in plain-text.
However, when I replace the password with one encrypted by
ansible-vault, I cannot.

   brocade_password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      33386536306332646533383364373438316539336235383237643262316331323539366665383366
      3831626265306665396136643066636236616534343665380a353536393532356238343039323335
      32636132613332393665373833363432306130666635373839653864363639613732623263633833
      3936616239656437640a336235343138383434653665383237636565316437656138386130646562
      61386336643763346533336462373233623965646530366438336435623432343530

The output is shown below.

I suspect that I have an incorrect parameter somewhere or I should
be encrypting more than just the password. What is the proper way
to use ansible-vault encrypted credentials with Brocade SAN switches?

Thank you, Sam

$ ansible-playbook -i inv_sec_brocade.yml _brocade_get_info.yml -e "switch_name=syn14b01fc001" -vvvv

/home/sam/ansible-projects/prod/.venv_sto_mgmt_redux/lib/python3.8/site-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
ansible-playbook [core 2.13.1]
  config file = /home/sam/ansible-projects/prod/syntax-next-gen-storage-automation/ansible.cfg
  configured module search path = ['/home/sam/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/sam/ansible-projects/prod/.venv_sto_mgmt_redux/lib/python3.8/site-packages/ansible
  ansible collection location = /home/sam/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/sam/ansible-projects/prod/.venv_sto_mgmt_redux/bin/ansible-playbook
  python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True
Using /home/sam/ansible-projects/prod/syntax-next-gen-storage-automation/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /home/sam/ansible-projects/prod/syntax-next-gen-storage-automation/inv_sec_brocade.yml as it did not pass its verify_file() method
script declined parsing /home/sam/ansible-projects/prod/syntax-next-gen-storage-automation/inv_sec_brocade.yml as it did not pass its verify_file() method
Parsed /home/sam/ansible-projects/prod/syntax-next-gen-storage-automation/inv_sec_brocade.yml inventory source with yaml plugin
Loading collection brocade.fos from /home/sam/.ansible/collections/ansible_collections/brocade/fos
Loading callback plugin default of type stdout, v2.0 from /home/sam/ansible-projects/prod/.venv_sto_mgmt_redux/lib/python3.8/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: _brocade_get_info.yml ******************************************************************************
Positional arguments: _brocade_get_info.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/home/sam/ansible-projects/prod/syntax-next-gen-storage-automation/inv_sec_brocade.yml',)
extra_vars: ('switch_name=syn14b01fc001',)
forks: 5
1 plays in _brocade_get_info.yml
 
PLAY [syn14b01fc001] *****************************************************************************************
META: ran handlers

TASK [gather facts] ******************************************************************************************
task path: /home/sam/ansible-projects/prod/syntax-next-gen-storage-automation/_brocade_get_info.yml:15
Trying secret FileVaultSecret(filename='/home/sam/ansible-projects/prod/syntax-next-gen-storage-automation/.vault_pass') for vault_id=default
<syn14b01fc001> ESTABLISH LOCAL CONNECTION FOR USER: sam
<syn14b01fc001> EXEC /bin/sh -c 'echo ~sam && sleep 0'
<syn14b01fc001> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/sam/.ansible/tmp `"&& mkdir "` echo /home/sam/.ansible/tmp/ansible-tmp-1659178819.6152806-2358361-11692376424131 `" && echo ansible-tmp-1659178819.6152806-2358361-11692376424131="` echo /home/sam/.ansible/tmp/ansible-tmp-1659178819.6152806-2358361-11692376424131 `" ) && sleep 0'
Using module file /home/sam/.ansible/collections/ansible_collections/brocade/fos/plugins/modules/brocade_facts.py
<syn14b01fc001> PUT /home/sam/.ansible/tmp/ansible-local-23583566tcq86t7/tmpv9i7quqr TO /home/sam/.ansible/tmp/ansible-tmp-1659178819.6152806-2358361-11692376424131/AnsiballZ_brocade_facts.py
<syn14b01fc001> EXEC /bin/sh -c 'chmod u+x /home/sam/.ansible/tmp/ansible-tmp-1659178819.6152806-2358361-11692376424131/ /home/sam/.ansible/tmp/ansible-tmp-1659178819.6152806-2358361-11692376424131/AnsiballZ_brocade_facts.py && sleep 0'
<syn14b01fc001> EXEC /bin/sh -c '/usr/bin/env python3 /home/sam/.ansible/tmp/ansible-tmp-1659178819.6152806-2358361-11692376424131/AnsiballZ_brocade_facts.py && sleep 0'
<syn14b01fc001> EXEC /bin/sh -c 'rm -f -r /home/sam/.ansible/tmp/ansible-tmp-1659178819.6152806-2358361-11692376424131/ > /dev/null 2>&1 && sleep 0'
fatal: [syn14b01fc001]: FAILED! => {
    "POST_resp_code": 403,
    "POST_resp_data": {
        "errors": {
            "@xmlns": "urn:ietf:params:xml:ns:yang:ietf-restconf",
            "error": {
                "error-app-tag": "Error",
                "error-info": {
                    "error-code": "13",
                    "error-module": "auth"
                },
                "error-message": "Invalid credentials or auth-type",
                "error-tag": "operation-failed",
                "error-type": "application"
            }
        }
    },
    "POST_resp_reason": "Forbidden",
    "POST_url": [https://********/rest/login](https://%2A%2A%2A%2A%2A%2A%2A%2A/rest/login),
    "changed": false,
    "invocation": {
        "module_args": {
            "credential": {
                "fos_ip_addr": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "fos_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "fos_user_name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "https": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
            },
            "gather_subset": [
                "brocade_zoning",
                "brocade_interface_fibrechannel",
                "brocade_chassis_chassis",
                "brocade_fabric_fabric_switch",
                "brocade_fibrechannel_configuration_fabric",
                "brocade_fibrechannel_configuration_port_configuration",
                "brocade_fibrechannel_switch",
                "brocade_fibrechannel_trunk_trunk",
                "brocade_fibrechannel_trunk_performance",
                "brocade_fibrechannel_trunk_trunk_area",
                "brocade_time_clock_server",
                "brocade_time_time_zone",
                "brocade_logging_syslog_server",
                "brocade_logging_audit",
                "brocade_media_media_rdp",
                "brocade_snmp_system",
                "brocade_security_ipfilter_rule",
                "brocade_security_ipfilter_policy",
                "brocade_security_user_config",
                "brocade_security_password_cfg",
                "brocade_snmp_v1_account",
                "brocade_snmp_v1_trap",
                "brocade_snmp_v3_account",
                "brocade_snmp_v3_trap",
                "brocade_maps_maps_config",
                "brocade_security_sec_crypto_cfg_template_action",
                "brocade_security_sshutil_public_key",
                "brocade_security_ldap_role_map"
            ],
           "throttle": null,
            "timeout": null,
            "vfid": -1
        }
    },
    "msg": "POST failed"
}

PLAY RECAP ***************************************************************************************************
syn14b01fc001              : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

[prasad-valmeti-broadcom]

Working on the ways to work with auth-token feature and also figuring out ansible-vault encrypted password usage in Ansible. Will update with progress in couple of weeks.

[prasad-valmeti-broadcom]

Discussions are in progress with the auth token support based on the SSO. This security feature is being developed in FOS. Once that is available, it will be integrated into ansible. Will post the status on the next steps.

[prasad-valmeti-broadcom]

Did you use the Ansible vault feature to retrieve the password as shown below?
ansible-playbook your_playbook.yml --vault-password-file ~/.vault_pass_file <-- This is to read vault password from file
or you can also get the vault password from the command line:

ansible-playbook your_playbook.yml --ask-vault-pass

Please share the options that you used.