{{announcement.body}}
{{announcement.title}}

Managing Secrets for Automation Using Ansible Vault and Tower

DZone 's Guide to

Managing Secrets for Automation Using Ansible Vault and Tower

Managing secrets is essential for all businesses. In this tutorial, let's go into how to encrypt your secrets or sensitive data using the Ansible Vault tool.

· Open Source Zone ·
Free Resource

In today's advanced technology, Managing secrets is essential for all businesses. Failing to manage the secrets under a tightly controlled security environment, may lead to worst consequences. In this tutorial, I am explaining how to encrypt your secrets or sensitive data using the Ansible Vault tool which is very useful for Automation.

Ansible Vault

Ansible is a configuration management tool from Redhat, which is a simple and powerful tool for infrastructure automation. During automation, it is important to hide sensitive data like API key, DB credentials, and server login credentials, etc, and exposing them is a threat to attack. Vault tool from Redhat Ansible provides the flexibility to encrypt these secrets in a very easy way.

Encrypt secrets using Ansible Vault

The following example will help you to understand how to encrypt secrets via ansible vault during automation. Let's create a role called manage-secret inside roles folder using ansible-galaxy command as below:

Shell
 




x


1
(ansible-venv) [test-user@linux-node dzone-ansible-secret]$ ls
2
inventory  playbook-httpd-install.yml  roles
3
 
          
4
(ansible-venv) [test-user@linux-node roles]$ ansible-galaxy init manage-secret
5
- Role manage-secret was created successfully
6
 
          
7
(ansible-venv) [test-user@linux-node dzone-ansible-secret]$ tree roles/manage-secret/
8
.
9
├── defaults
10
│   └── main.yml
11
├── files
12
├── handlers
13
│   └── main.yml
14
├── meta
15
│   └── main.yml
16
├── README.md
17
├── tasks
18
│   └── main.yml
19
├── templates
20
├── tests
21
│   ├── inventory
22
│   └── test.yml
23
└── vars
24
    └── main.yml
25
 
          
26
8 directories, 8 files


create secret.yml inside defaults directory, with secret data that you want to encrypt. You can use any editor or directly use ansible-vault create secret.yml command.

YAML
 




x


1
secret:
2
  api_token: "abc34ff-09fedf-oac5fc-ufh0ed-90defa"
3
  licence_key: "EERST36ENO43MOUNSL0SF24IUR"


To encrypt the secret, use encrypt key word along with ansible-vault command as shown below

Shell
 




x


1
(ansible-venv) [test-user@linux-node defaults]$ ansible-vault encrypt secret.yml
2
New Vault password: 
3
Confirm New Vault password: 
4
Encryption successful


now the content of the secret.yml file is in an encrypted format and difficult for readability.

Shell
 




xxxxxxxxxx
1
13


 
1
(ansible-venv) [test-user@linux-node defaults]$ cat secret.yml 
2
$ANSIBLE_VAULT;1.1;AES256
3
64366334656464366234396134613266316239353236616164643661313938306164383935333832
4
6564653932383864363938386465663666323237343533650a643534376263363061343062303565
5
39643133336466333539663130303261343138323036656233613035313630383764343037643136
6
3366333462613861390a353065313931353330663765323639353936376433643266363933373163
7
37623663653432346564646532663566386632623432376431373037653063373434643931396339
8
38666132303236353531326632363733363530653263393434636531313131653633363932376337
9
65663736303838343239333631356538366334396535396466346461653534383432643539386337
10
32396466313366386162346264366435373135376139303031313463663762373536393437666436
11
65633837373966666637383435396663333337636331346232616434666531386266333364373431
12
35626235346639353331653134636265646662623038663364336232326563633039376163376232
13
323361376464643630373931343331633833


use below ansible-vault edit command, to update or modify the secrets by providing a decryption key in the command prompt.

Shell
 




x


1
(ansible-env) [test-user@linux-node defaults]$ ansible-vault edit secret.yml 
2
Vault password: 


ansible-vault view command is used to view the contents of the secret file.

Read Secrets in Ansible Playbook

To read the secrets, let's edit main.yml under tasks directory as below. Read parameters of secret.yml file in task using module include_vars: "defaults/secret.yml"

YAML
 




xxxxxxxxxx
1
12


 
1
---
2
# tasks file for manage-secret
3
- name: Read secret file
4
  include_vars: "defaults/secret.yml"
5
 
          
6
- name: display API Token
7
  debug:
8
    msg: "{{ secret.api_token }}"
9
 
          
10
- name: display LICENCE Key"
11
  debug:
12
    msg: "{{ secret.licence_key }}"


Execute playbook as below and provide decryption key while prompts

Shell
 




x





1
(ansible-venv) [test-user@linux-node dzone-ansible-secret]$ ansible-playbook playbook-manage-secret.yml --ask-vault-pass
2
Vault password: 
3
[WARNING]: No inventory was parsed, only implicit localhost is available
4
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
5
 
          
6
PLAY [DZone ansible-vault demo] *********************************************************************************
7
TASK [Gathering Facts] *********************************************************************************
8
ok: [localhost]
9
 
          
10
TASK [manage-secret : Read secret file] *********************************************************************************
11
ok: [localhost]
12
 
          
13
TASK [manage-secret : display API Token] *********************************************************************************
14
ok: [localhost] => {
15
    "msg": "abc34ff-09fedf-oac5fc-ufh0ed-90defa"
16
}
17
 
          
18
TASK [manage-secret : display LICENCE Key] *********************************************************************************
19
ok: [localhost] => {
20
    "msg": "EERST36ENO43MOUNSL0SF24IUR"
21
}
22
 
          
23
PLAY RECAP *********************************************************************************
24
localhost                  : ok=5    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0  


But providing a password via terminal with a prompt is difficult while using automation and user may not be able to intervene to provide decryption key in command-line. Hence the alternate option for automation is, the decryption key can be read from the file. The below example shows, how the encryption key is read via file.

Shell
 




xxxxxxxxxx
1
25


 
1
(ansible-venv) [test-user@linux-node dzone-ansible-secret]$ ansible-playbook playbook-manage-secret.yml --vault-password-file /home/test-user/decrypt_key.txt
2
[WARNING]: No inventory was parsed, only implicit localhost is available
3
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
4
 
          
5
PLAY [DZone ansible-vault demo] *********************************************************************************
6
 
          
7
TASK [Gathering Facts] *********************************************************************************
8
ok: [localhost]
9
 
          
10
TASK [manage-secret : Read secret file] *********************************************************************************
11
ok: [localhost]
12
 
          
13
TASK [manage-secret : display API Token] *********************************************************************************
14
ok: [localhost] => {
15
    "msg": "abc34ff-09fedf-oac5fc-ufh0ed-90defa"
16
}
17
 
          
18
TASK [manage-secret : display LICENCE Key] *********************************************************************************
19
ok: [localhost] => {
20
    "msg": "EERST36ENO43MOUNSL0SF24IUR"
21
}
22
 
          
23
PLAY RECAP *********************************************************************************
24
localhost                  : ok=5    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   


But storing the decryption key in file is dangerous and vulnerable for the attack as anyone can read and can't be stored on git or any repository level.  So the best way to overcome this problem is to use Ansible Tower. 

Ansible Tower

Tower tool from Ansible Redhat provides a web-based user interface with enhanced features for efficient automation. Let's see how to create a vault credential to decrypt the secrets.

Decrypt Secret Using Ansible Tower Vault Credential

Click Credentials on the left navigation panel to create a new credential. Select Vault in credential type and enter your decryption key in Vault Password and save it.

Select Vault in credential type and enter your decryption key in Vault Password and save it.

Now map this ansible-vault-decryption-key vault credential in Ansible Tower templateNow map this ansible-vault-decryption-key vault credential in Ansible Tower template

You will be able to see the decrypted information in Tower Job
You will be able to see the decrypted information in Tower Job

Summary

Ansible from Redhat is widely used as a configuration management tool for infrastructure automation such as provisioning servers, middleware deployment, and configurations, etc.  While using the automated deployment and configuration process, it is important, not to expose the secret information outside. Ansible vault provides a more easy and simple way to encrypt secrets. In this tutorial, I have explained how we can manage these secrets using Ansible Vault and Tower.

Topics:
ansible, ansible galaxy, ansible playbook, ansible tower

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}