Skip to content
This repository was archived by the owner on Oct 17, 2024. It is now read-only.

Latest commit

 

History

History
232 lines (183 loc) · 8.17 KB

ansible-vault.md

File metadata and controls

232 lines (183 loc) · 8.17 KB

Protecting Secrets in Ansible

Protecting Secrets in Ansible

  • There is one big problem with playbook-dict.yml
  • The database password is in plain text in playbook
  • Ansible provides a tool for managing secrets
  • `ansible-vault` helps you encrypt/decrypt files containing secrets for your app 

$ ansible-vault --help

Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]

encryption/decryption utility for Ansible data files

Options:
--ask-vault-pass      ask for vault password
-h, --help            show this help message and exit

ansible-vault

  • Uses AES256 encryption
  • Secret files can be
    • Loaded automatically as host_vars or group_vars inventory files
    • Included with include_vars or vars_files directives
  • Encrypted files can be distributed with your application
Exercise: Protecting our database passwords
  • Create a new file called secrets.yml 
    mkdir -p group_vars/web
vim group_vars/web/secrets.yml

    ---
vault_staging_database_password: <some password>
vault_production_database_password: <some password>
  • Encrypt group_vars/web/secrets.yml 
    ansible-vault encrypt group_vars/web/secrets.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful
    • Make sure you can remember your password!

Integrating vaulted secrets

  • Replace references to staging/production database passwords 
    database:
  staging:
    password: "{{ vault_staging_database_password }}"
  production:
    password: "{{ vault_production_database_password }}"

Running Ansible with vault

  • Run playbook using --ask-vault-pass flag 
    
  ansible-playbook playbook-dict.yml --ask-vault-pass
  Vault Password: ******

Alternate ways to provide vault password

  • Typing the vault password all the time is annoying
  • You can put your vault password in a file 
    echo "mysecretpassword" > .vault_password
  • Then run playbook with argument with --vault-id 
    
 ansible-playbook --vault-id .vault_password playbook-dict.yml
  • Be sure you add this file to .gitignore!!!

Managing multiple vault secrets

  • As of Ansible 2.4 it is possible to have multiple encryption keys
  • Change directory 
     cd $INTRO_ANSIBLE_DIR/vault-management
 tree
 ├── ansible.cfg.example
 ├── group_vars
 │   ├── dev
 │   │   └── dev-secret.yml
 │   └── prod
 │       └── prod-secret.yml
 └── inventory
     └── hosts
  • We want to encrypt dev and prod secrets separately
    • separate devs from prod secrets

Using separate vault passwords

prompting for password
  • Encrypt the prod secret
    • For the prod password, let's tell Ansible to **prompt** for a password 
    ansible-vault encrypt --encrypt-vault-id prod --vault-id prod@prompt \
         group_vars/prod/prod-secret.yml
    • Ansible will prompt for new password
    • Encrypted file contains tag for prod 
    
  $ANSIBLE_VAULT;1.2;AES256;prod
  33633335336634393739363636633039376334303533636336373636663139383837663531353134
  6536396633616636383734656439643334653739346462660a323832643834613636393339346232

Using separate vault passwords

password file
  • Encrypt the dev secret
    • For the dev password, let's use a password file 
    echo "mydevvaultpassword" > dev_vault_password
 ansible-vault encrypt --encrypt-vault-id dev \
     --vault-id dev@dev_vault_password group_vars/dev/dev-secret.yml
    • Ansible will **not** prompt for a password
    • Encrypted file contains tag for dev 
    
  $ANSIBLE_VAULT;1.2;AES256;dev
  66313465646336616231323030633961613464613065373138333862303936333266653366366639
  3965323362353061396662623835636138343534363239390a333332316361343737666137396439

Accessing vaulted files

  • You can now use vault-ids when accessing vaulted files 
    ansible-vault view --vault-id dev@dev_vault_password \
   group_vars/dev/dev-secret.yml

    ansible-vault view --vault-id prod@prompt \
   group_vars/prod/prod-secret.yml
  • Or do all at the same time 
    ansible-vault view --vault-id prod@prompt \
   --vault-id dev@dev_vault_password  \
       group_vars/**/*-secret.yml
    • Ansible will prompt and use the existing file

Using vault-ids with ansible-playbook

  • Pass --vault-id that is relevant for environment 
     ansible-playbook playbook-dev.yml -i inventory/hosts \
    --vault-id dev@dev_vault_password
  • If play requires multiple vault passwords 
     ansible-playbook -i inventory/hosts  \
     --vault-id dev@dev_vault_password  \ 
     --vault-id prod@prompt \
     playbook-dev.yml playbook-prod.yml

Vault Ids and ansible.cfg

  • It is possible to configure location of vault password file in ansible.cfg 
    [defaults]
# other config
# dev_vault_password is in ~/.ansible directory, prod_vault_password in
# working directory
vault_identity list = dev@~/.ansible/dev_vault_password, prod@prod_vault_password

Adding secure content inline

ansible-vault encrypt_string
  • Sometimes useful to add secure content in a playbook inline
  • encrypt_string generates vaulted output that can be added to a playbook 
    echo "mysecretPas2wurd1" | ansible-vault --vault-id @prompt encrypt_string \
    --stdin-name vault_my_password
 New Vault password:  *******
 Confirm New Vault password: *******

     vault_my_password: !vault |
       $ANSIBLE_VAULT;1.1;AES256
       37326562653730353232346530336334346163633964373732653132370a373
       353439303265373737653963396666653638366639633966666536383666583

Summary

  • ansible-vault is a way to secrets safe
    • passwords
    • API keys
    • SSL keys
  • Easy to distribute encrypted secrets with code without compromising them
  • Automatically integrates into automation tasks

Destroy VM

  • We are now done with the VM we've been using
  • Before we move on we need to stop the current Vagrant VM
vagrant halt
vagrant destroy