How to Use Ansible Vault to Store Secret Keys
With most automation, credentials are wanted to authenticate and use safe assets. What has all the time been a problem is how greatest to retailer these credentials securely. Ansible is an automation system that gives software program provisioning, configuration administration, and software deployments.
As with any automation system, Ansible wants a safe manner to retailer secrets and techniques. In the case of Ansible, that system is named Ansible Vault. Ansible Vault offers a cross-platform resolution to securely storing credentials.
Introducing Ansible Vault
Ansible Vault can be utilized to encrypt any file, or variables themselves, from inside a playbook. By default AES is used which is a shared-secret based mostly encryption. Both file and variable encryption strategies have their advantages and disadvantages.
To create a brand new encrypted file named
secrets and techniques.yml, merely use the next
ansible-vault create secrets and techniques.yml
After prompting for a password, the
ansible-vault command will launch the default system file editor, which is able to lead to an encrypted file upon saving.
Similarly, to encrypt a beforehand unencrypted file, use the next
ansible-vault command. Note that this makes use of the
encrypt parameter fairly than the
ansible-vault encrypt secrets and techniques.yml
The draw back to utilizing file encryption is readability. If you open the file then one can find that with out decryption, it’s inconceivable to decipher the contents.
Within a playbook, it’s potential to use an encrypted variable by prefacing the encrypted knowledge with the
!vault tag. Running the
encrypt_string argument of the
ansible_vault command will lead to an encrypted string that you should utilize inside your playbooks.
ansible-vault encrypt_string 'secret_data' --name 'my_secret'
After prompting you for a password, you’re going to get the next encrypted string.
my_secret: !vault | $ANSIBLE_VAULT;1.1;AES256 37636561366636643464376336303466613062633537323632306566653533383833366462366662 6565353063303065303831323539656138653863353230620a653638643639333133306331336365 62373737623337616130386137373461306535383538373162316263386165376131623631323434 3866363862363335620a376466656164383032633338306162326639643635663936623939666238 3161
Variable encryption is nice for readability, however the skill to use command line rekeying is sacrificed when utilizing this methodology.
Using Ansible Vault in Practice
You could understand that utilizing Ansible Vault in manufacturing is a problem. To successfully use Ansible Vault, the next methods make this course of simpler.
- Unprompted Decryption
- Multiple Vaults
One possibility to transparently decrypting a file or variable whereas utilizing Ansible is to retailer the password inside a protected and un-versioned password file. To reference this saved password, merely move within the file location utilizing the
ansible-playbook --vault-password-file /path/vault-password-file secrets and techniques.yml
This will decrypt any included encrypted information or variables utilizing the included password.
It is essential not to commit your plaintext password file into your model management system. Similarly, shield this file to solely the consumer or group that wants entry to the saved password on the file system utilizing entry management lists (ACL’s).
Although it’s handy to have a single vault with all the encrypted secrets and techniques, a greater safety apply is to separate the safe credentials into separate related vaults. An instance of this may be separating a manufacturing and improvement setting. Thankfully, Ansible Vault permits us to create a number of vaults and references which vault the encrypted knowledge is coming from utilizing a label.
ansible-vault create --vault-id [email protected] prod-secrets.yml
The above code will create a
prod vault and immediate on your password at runtime (as famous by the
@immediate string). If you have already got a password file that you want to to use, merely move within the path to the file.
ansible-vault create --vault-id [email protected]/path/prod-vault-password-file prod-secrets.yml
Let’s say we would like to encrypt the identical
my_secret variable, however this time retailer that in our
prod vault. Just as earlier than, utilizing
encrypt_string however with the related
vault-id permits storing of the key within the specified location.
ansible-vault encrypt_string --vault-id [email protected]/path/prod-vault-password-file 'secret_data' --name 'my_secret'
You will discover that after the
AES256 string, a brand new piece of textual content,
prod is proven. This signifies the vault that the encrypted textual content is positioned in.
my_secret: !vault | $ANSIBLE_VAULT;1.1;AES256;prod 37636561366636643464376336303466613062633537323632306566653533383833366462366662 6565353063303065303831323539656138653863353230620a653638643639333133306331336365 62373737623337616130386137373461306535383538373162316263386165376131623631323434 3866363862363335620a376466656164383032633338306162326639643635663936623939666238 3161
What in order for you to embody a number of vaults in a single playbook? You can simply move in a number of
vault-id declarations on an
ansible-playbook command line.
ansible-playbook --vault-id [email protected]/path/dev-vault-password-file --vault-id [email protected]/path/prod-vault-password-file web site.yml
Finally, it’s vital to often cycle your passwords. For information which might be encrypted, you should utilize the command line under. Passing within the
new-vault-id parameter makes it simple to change the password that the secrets and techniques are encrypted with.
ansible-vault rekey --vault-id [email protected]/path/prod-vault-password-file-old --new-vault-id [email protected]/path/prod-vault-password-file-new web site.yml
As famous above, command line rekeying doesn’t work for encrypted variables. In this case, you’ll need to individually re-encrypt the strings and change them in a given playbook.
Security is tough, particularly when it comes to utilizing secrets and techniques inside automation methods. With that in thoughts, under are a number of greatest practices to use when using Ansible Vault. Though we have now lined a few of these beforehand, it’s prudent to reiterate these practices.
- ACL protected and unversioned password informationPassword information mustn’t be saved inside model management methods, comparable to GIT. Additionally, make it possible for solely the suitable customers can entry the password file.
- Separate vaultsNormally, many alternative environments are in use. Therefore, it’s best to separate the required credentials into the suitable vaults.
- Regular file and variable password rekeyingIn the case of password reuse or leaks, it’s best to often rekey the passwords in use to restrict publicity.
As with any automation system, it’s critically vital that secrets and techniques are correctly protected and managed. With Ansible Vault, that course of is made simple and versatile. Using one of the best practices outlined above, storing and utilizing secrets and techniques inside Ansible is secure and safe.
To prolong Ansible Vault even additional and take this course of to the following degree, you should utilize scripts that combine into password administration options. As you may see, Ansible Vault is a superb manner to use secretes inside Ansible playbooks.
This Web site is affiliated with Amazon associates, Clickbank, JVZoo, Sovrn //Commerce, Warrior Plus etc.