Handling secrets in your Ansible playbooks

https://www.istockphoto.com/fr/photo/top-secret-timbre-gm452733271-25090422

Hello, This article will discuss how to manage secrets, such as usernames, passwords, tokens, and sensitive information in your Ansible playbooks.

Ansible Vault can encrypt and decrypt arbitrary variables and files, which means you can use it to protect variable files that contain secrets or even encrypt entire sensitive configuration files. Ansible Vaults have many advanced features, but this article will focus on the basics.

Prompts

If you want your playbook to prompt the user for a certain input, add a ‘vars_prompt’ section. Prompting the user for variables lets you avoid recording sensitive data like passwords. In addition to security, prompts support flexibility. For example, if you use one playbook across multiple software releases, you could prompt for the particular release version.

---
- name: Update Config 
  hosts: ServersG1
  gather_facts: false
  vars_prompt:
    - name: api_key
      prompt: Enter the API key

  tasks:
      - name: Add API key to thes config file
        lineinfile:
          path: ~/config.ini
          line: "API_KEY={{ api_key }}"

Now once I run this playbook, Ansible prompts me at the command line using the message in the prompt parameter:

$ ansible-playbook -i inventory.ini tuto.yaml
Enter the API key:

The input is hidden by default but it can be made visible by setting private: no attribute to the vars_prompt

Ansible Vault

Ansible Vault is a feature that allows you to keep all your secrets safe. It can encrypt entire files, entire YAML playbooks, or even a few variables. It provides a facility where you can not only encrypt sensitive data but also integrate them into your playbooks.

$ cat secrets.enc
api_key: secret-key-here

Encrypt the file with ansible-vault

$ ansible-vault encrypt secrets.enc
New Vault password:
Confirm New Vault password:
Encryption successful

let’s confirm that the file now contains encrypted content

$ cat secrets.enc
$ANSIBLE_VAULT;1.1;AES256
64613537313135656666353061633034366336333238366530306236646433313432326464623234
6332656666323735333766366635656130343538373835610a376639343461306461656233613661
62336435313732633734313135343261343631316333303237613331363263303936653934633861
3636363262343639620a323032366536363038366237343431336463373032646164663030656663
63666362626464633962396433323632623166613463363362633866336639616632396637643235
62323363353831303231326563643937613236316639353535326131376362613664353130376230
646139633739343861346563633936373334

When I run my playbook, I can pass the encrypted variables file and tell Ansible to prompt me for the password. Ansible will decrypt the file and use the variables that I defined.

$ ansible-playbook -i inventory.ini -e @secrets.enc --ask-vault-pass tuto.yaml

output:

Vault password:PLAY [Update Config] *******************************************************************************************************************************************************************TASK [Add API key to thes config file] *************************************************************************************************************************************************
ok: [XM001XAM]PLAY RECAP *****************************************************************************************************************************************************************************
XM001XAM                   : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Now let’s do confirmation on the remote server(s)

$ cat cat config.ini
API_KEY=secret-key-here

In case you want to update the api_key, There are two ways to edit an encrypted Ansible Vault. You can either edit the file in-place, or you can fully decrypt it, edit it, and then re-encrypt it. Both methods are shown below.

# The edit command will launch a text editor, such as vi 
$ ansible-vault edit secrets.enc  
Vault password:

now we can edit our secret file easily, then save the changes and exit.

The second way : (The recommended way)

# The decrypt command will fully decrypt the file, allowing you to manipulate it how you see fit. 
$ ansible-vault decrypt secrets.enc 
Vault password: 
Decryption successful

Notice that the file has been decrypted

$ cat secrets.enc  
api_key: secret-key-here

Don’t forget to re-encrypt the file when you’re done!

# Don't forget to re-encrypt the file when you're done! 
$ ansible-vault encrypt secrets.enc  
New Vault password:  
Confirm New Vault password:  
Encryption successful

let’s confirm that the file now contains encrypted content

$ cat secrets.enc  
$ANSIBLE_VAULT;1.1;AES256 33373832393864613335393836616538373639353538306462366464303939303838316337336662 6235303936636465366363643761383462356335336239640a356161653166643134663762323136 34616431303434646338343265666135666263633162383662323164396266616638313936303863 3337626365313666630a326465663239653731613637303437666164346531636361653837326166 34396232623138616364393130303036653564643435636639316264636531336161

Using an Ansible Vault for secrets is one of my favorite methods of storing sensitive data. The benefit of this approach is that you can actually store your sensitive data in source control, side-by-side with your regular playbooks. Since these files are encrypted, there’s little risk in this approach as long as you pick a strong password. Like any shared secret, it’s a good idea to rotate the encryption password frequently. Ansible also offers several advanced features for Vaults, such as the ability to have different passwords for different Vaults. Be sure to review the documentation for great ways to secure your secrets using Ansible’s native capabilities.

Resources:

Tags

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *