post

Updating local IDRAC passwords on Dell hosts using Ansible

Dell hosts have the ability to add multiple local users to the Integrated Dell Remote Access Controller (iDRAC) with different levels of access.

Each IDRAC user has an Account ID number 1 through 2^8. If you have an datacenter operations team that needs admin access, developers that need to check BIOS settings, and automation scripts that need to update firmware, you need to agree on which Account ID you want to use for what task and then assign a user name and password to that Account ID.

You also want to have a root account with admin access that you use to update the other accounts. Setting up the root account and not giving that login and password out to anyone else allows you to manage all of the other accounts. Having two accounts with admin access means you can use root to update the admin account’s password and the admin account can update the root password.

We’ll use the Ansible community.general.redfish_command module to set passwords. This module uses the Dell Redfish API to interact with IDRAC. The Ansible playbook update passwords looks like this:

---
# ansible/roles/idrac_host/tasks/main.yml

- name: Update IDRAC Passwords
  delegate_to: localhost
  become: False
  block:

  # Create the ILO users and update their passwords
  - name: Use the root account to add and enable the devops user
    community.general.redfish_command:
      category: Accounts
      command: AddUser,EnableUser
      baseuri: "{{ inventory_hostname }}.{{ subdomain }}"
      username: "{{ ilo_root_user_name }}"
      password: "{{ ilo_root_initial_password }}"
      account_id: "{{ ilo_devops_id }}"
      account_username: "{{ ilo_devops_user_name }}"
      account_password: "{{ ilo_devops_password }}"
      roleid: "Administrator"

  - name: Use the root account to set the password of the devops user
    community.general.redfish_command:
      category: Accounts
      command: UpdateUserPassword
      baseuri: "{{ inventory_hostname }}.{{ subdomain }}"
      username: "{{ ilo_root_user_name }}"
      password: "{{ ilo_root_initial_password }}"
      account_username: "{{ ilo_devops_user_name }}"
      account_password: "{{ ilo_devops_password }}"

  - name: Update root user password (if needed)
    community.general.redfish_command:
      category: Accounts
      command: UpdateUserPassword
      baseuri: "{{ inventory_hostname }}.{{ subdomain }}"
      username: "{{ ilo_root_user_name }}"
      password: "{{ ilo_root_initial_password }}"
      account_username: "{{ ilo_root_user_name }}"
      account_password: "{{ ilo_root_password }}"
    when: ilo_root_initial_password != ilo_root_password

  - name: Use the devops account to add and enable the os_deploy user
    community.general.redfish_command:
      category: Accounts
      command: AddUser,EnableUser
      baseuri: "{{ inventory_hostname }}.{{ subdomain }}"
      username: "{{ ilo_devops_user_name }}"
      password: "{{ ilo_devops_password }}"
      account_id: "{{ ilo_os_deploy_id }}"
      account_username: "{{ ilo_os_deploy_user_name }}"
      account_password: "{{ ilo_os_deploy_password }}"
      roleid: "Administrator"

  - name: Use the devops account to set the password of the os_deploy user
    community.general.redfish_command:
      category: Accounts
      command: UpdateUserPassword
      baseuri: "{{ inventory_hostname }}.{{ subdomain }}"
      username: "{{ ilo_devops_user_name }}"
      password: "{{ ilo_devops_password }}"
      account_username: "{{ ilo_os_deploy_user_name }}"
      account_password: "{{ ilo_os_deploy_password }}"

This playbook uses the root account to create a devops account (if it does not exist), then updates the password of the devops account (if it needs to be updated), updates the root password (if it changed), and creates an os_deploy user to use for automation tasks.

This sets up all three as administrator accounts, but other security roles are available.

All of the variables are stored in the ansible/roles/idrac_host/vars/main.yml file and are encrypted using Ansible vault, so you can store your playbooks in Git without worrying about password leakage.

---
# ansible/roles/idrac_host/vars/main.yml

subdomain: dc.example.com

ilo_root_id: '1'
ilo_root_user_name: 'root'
ilo_root_initial_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          23437326137343536343735666633656266326666353366643633
          31326331613538303739623164313338396365666362623166613
          38336262306666646531663034333338396233363261323039430
          3261
ilo_root_password: "{{ ilo_root_initial_password }}"

ilo_devops_id: '3'
ilo_devops_user_name: 'devops'
ilo_devops_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          3163633564663962303270a303335353435396337393931643032
          3064303161616239390a333865376133346539333233365313566
          30383466656665643661564306330393461326438303332636633
          3255


ilo_os_deploy_id: '4'
ilo_os_deploy_user_name: 'os_deploy'
ilo_os_deploy_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30383466656665643661373923164626564306338303332636633
          3163633563346466396230a303335353435396337393931643032
          30643039390a33386332343437632333535393136363565313566
          3262

If you want to update the root password, change ilo_root_password, run the playbook on all hosts to update the root password, then set ilo_root_initial_password to the new (encrypted) root password and set ilo_root_password back to "{{ ilo_root_initial_password }}".

Hope you find this useful.

Want to learn Ansible? Start on the Ansible Community Documentation page and just start automating your environment. Want to level-up your Ansible skills? I highly recommend the O’Reilly book Ansible: Up and Running.