Greeting everyone,
I've recently started messing with Ansible (in particular Ansible Tower).
I ran into an issue using secure values in my playbook, more accurate, I didn't understand how to use it correctly.
Compared to Chef-Infra, you could use data_bags in order to store your secure credentials.
You create a data bag:
knife data bag create testDataBag
You would create a json file for a data bag item:
{
"id": "preproduction",
"user": "user1",
"password": "this-is-a-password"
}
Upload it to the Chef server while encrypting it with a secret file (which exists the target server):
knife data bag from file testDataBag .\testDataBag\preproduction.json --secret-file .\secret-file
and then you can use it in your cookbook:
userinfo = data_bag_item('testDataBag', preproduction)
userinfo['user'] # "user1"
userinfo['password'] # "this-is-a-password"
An example use case - configuring the password for a Linux user.
userinfo = data_bag_item('testDataBag', preproduction)
user "#{userinfo['user']}" do
comment 'A random user'
home "/home/#{userinfo['user']}"
shell '/bin/bash'
password "userinfo['password']"
end
I know this is a lot of information but I just wanted to show how I'm used to use secure credentials.
Back to Ansible, I understood there is an ansible-vault tool which I can used to encrypt a variable file that later can be used in a playbook.
Sadly the only examples I've seen (or maybe I just didn't notice) include only running playbooks from the command line which is not something I do.
I have a playbook in my GIT repository which is connected to a project in my Ansible Tower.
What do I need to do in order to get to the point I can use a variable which contains the password?
Encryption is the same? by using ansible-vault?
Where do I store the encrypted files? (Specifically in Ansible Tower)
How to store the vault passwords (the one you use to decrypt a vault-id)?
How to access them in my playbook?
I've looked into those links but I couldn't find anything interesting:
https://docs.ansible.com/ansible/latest/user_guide/vault.html
https://docs.ansible.com/ansible/latest/user_guide/playbooks_vault.html
https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#variables-and-vaults
And in the Ansible Tower documentation there is no explanation on how and where to store your vault-ids.
If anymore information is needed please tell me, I'll update my post.
Thanks everyone!
As far as I know you have two options to achieve this in AWX/Tower, depending on where you want those secrets stored.
Creating a vault within your project/GIT repo
Use "ansible-vault create" command and select a password
Save the credentials within the vault in yaml format and commit/push the changes to git
On your playbook add an include_vars to your vault file and commit/push to git
In Tower create a credential, select type=Vault and add the password for your vault
On your Tower template add the credential you created earlier
Use a custom credential type (this will not save the creds in git at all, they will just live on Tower/AWX)
Create a new custom credential type with an injector configuration type of "extra_vars" and the credentials you want to include as variables in your playbook.
Then create a credential based on the new credential type you created in the previous step.
Now assign that credential to your template, and those variables will just be available in your playbook run.
Here are the details on how to create a custom credential type
https://docs.ansible.com/ansible-tower/latest/html/userguide/credential_types.html
Related
I followed the tutorial provided here : Editing Ansible vault file from a playbook to create the ability to programmatically update my ansible vaults.
Let's say though this is part of a much larger pipeline, where it unreasonable to expect the end user to sit around waiting for the 3+ ansible-vault vault password prompts.
Is there a way to programmatically provide an ansible-vault call with the vault password such that it is automatically entered when it is required?
Ideally, the user at run-time would enter once the vault-password as part of the larger script, and then as the script encounters needs that require ansible-vault the password is provided as a variable as well so the user doesn't have to constantly check back to enter it.
I was unable to find documentation or Q&A covering this specific topic. I'm posting it here with the answer in the hopes that someone finds it useful. I am a member of a small group of automation engineers. One task is to provide automation in Tower for other engineers and admins.
The automation team is happy with our current setup which allows us to run plays from the commandline without locking our accounts, without typing a password every time, and with no passwords stored in plain text:
We use an ansible vault stored in each admin's profile to store encrypted login credentials, along with a gpg armored key. Each vault uses teh same name, similar to ~/.ansible/vault.yml
A script extracts the key and unlocks the vault.
The script is defined in ansible.cfg, [defaults], vault_identity_list.
the playbooks load the vault with vars_files
Tower in job isolation mode cannot access home directories. And we do not want vault+key outside the admin's home folder, subject to random prying. Tower has its own vault system that we use when using tower. We want to maintain our current method of commandline runs, but be able to use the same playbook in Tower and Engine.
I tried:
Forcing tower to read the vault. (no joy)
Playbook with vault commented out. (This worked in tower, but I had to toggle the commenting to run from commandline. Put a pin in this as a last resort.)
Using conditional to only load vars_files when ansible_user is not awx. (Well guess what, it still runs as the user who triggers the job. Put a pin in this to find another variable that is consistent and indicates tower is the platform.)
Using tags and skip-tags within tower to skip vars_files (no joy. Tags don't work on vars_files:)
What I found that worked:
skip-tags does exactly what I needed to do
learned about include_vars (this is a task module that can be tagged)
learned about pre_tasks (since we're including the become credentials in the vault, regular tasks would never be reached because 'no SUDO credentials' would prevent tasks from being run)
so:
pre_tasks:
- include_vars: ~/.ansible/vault.yml
tags: engine
and, in Tower, set the job template to skip-tags: engine
Now the same play works in or out of Tower. With minimal authentication. Without plaintext passwords.
We have one ansible project for two teams with 3 inventory file:
inventory-all
inventory-teamA
inventory-teamB
TeamA has permissions for all and teamA, B for all and teamB. What is the best practise on handling this?
We use ansible-vault to encrypt those inventory files.
I assume it's currently not possible out of the box due to the limit of one password in ansible-vault, see https://github.com/ansible/ansible/issues/13243 .
This can be accompliushed by multiple Vault passwords which is currently not available, but on the roadmap for Ansible 2.4.
"Support for multiple vault passwords"
https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/ROADMAP_2_4.rst
I'm attempting to set up a docker-machine on AWS from my computer and I want to use the ~/.aws/credentials file to connect and get going. I'm struggling to sort this out though. Can I check the structure of the credentials file.
I'm expecting to include the following text:
[default]
aws_access_key_id = key-pair-name-from-ec2-key-pair-list
aws_secret_access_key = <this is the bit I'm struggling with>
For the aws_secret_access_key do I need to include the contents of the .pem file which was downloaded when I created the key-pair, and if so then do I include the start and end comments and do I need to strip out the new lines?
I have tried to strip out the lines and strip out the comments but that didn't work, I have also tried to include just as is and again that didn't work. I've also tried the other option of preserving the new lines but removing the comments and again that didn't work.
Am I using the right secret here or is there something else that I should be doing. Is the [default] the correct thing to use or do I need to use [username]?
Key pairs are used only to connect to EC2 instances. To use AWS API's with CLI or any SDK, you have to obtain access key and secret. You can follow this steps to obtain them for your IAM user: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
The best practice is to create a new user with only needed access rights and create a key for that user. And never expose AWS credentials to public domain.
I have been looking into Ansible vault but want to check something incase I have missed a crucial point.
Do you have to run the playbook and provide the password. Encrypting the data seems a great idea but if I share the playbook the person running it will require the password. If they have the password then they can decrypt the file and see the data.
I would like to use it to set passwords for files but would like non admins to be able to run the playbook.
Have I missed something. I am struggling to see its worth if this is the case.
Thanks
The purpose of the vault is to keep secrets encrypted "at rest" (eg, in your source control repo, on-disk), so that someone can't learn the secrets by getting ahold of the content. As others have mentioned, if you want to delegate use of the secrets without divulging them, you'll need an intermediary like Tower.
In your case you need something that will be brokering ansible execution. Because like you've said an encryption would be useless if you share the password.
Like it's mentioned in the comment you can use Ansible Tower, or you can try and set a simple http endpoint that will be trigerring ansible based on specified parameters.