Secure your Ansible-Vault Password using Hashicorp Vault and python script

-

 Ansible-vault is great tool which is used to encrypt crucial files (which contains important details like credentials , password etc). There are many ways to pass password to ansible-vault. Details can be seen in this link : https://docs.ansible.com/ansible/latest/user_guide/vault.html

In general we keep password in any file (for eg : ~/.vault) and we pass this file as input to ansible-playbook command.

ansible-playbook myyamlfile.yml --vault-password-file /path/to/my/vault-password-file
Eg : ansible-playbook sample.yml --vault-password-file /home/tapan/.vault
This is fine for single developer, but if we want to work with team and if other team members needs to use this, then we need to think of alternative way. We cannot commit this password file into version control (github repo), as it plain text and password will be visible.
To tackle this problem, we can take help of one more vault namely Hashicorp Vault.
Hashicorp vault is open-source secured secret management tool. 
1. Install hashicorp vault in your host machine. Here I am considering Ubuntu-18.04 machine.
$ curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
$ sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
$ sudo apt-get update && sudo apt-get install vault
2. Verify Installation 
$ vault
If you see below output, it confirms vault is installed successfully
Usage: vault <command> [args]

Common commands:
    read        Read data and retrieves secrets
    write       Write data, configuration, and secrets
    delete      Delete secrets and configuration
    list        List data or secrets
    login       Authenticate locally
    agent       Start a Vault agent
    server      Start a Vault server
    status      Print seal and HA status
    unwrap      Unwrap a wrapped secret

Other commands:
    audit          Interact with audit devices
    auth           Interact with auth methods
    debug          Runs the debug command
    kv             Interact with Vault's Key-Value storage
    lease          Interact with leases
    monitor        Stream log messages from a Vault server
    namespace      Interact with namespaces
    operator       Perform operator-specific tasks
    path-help      Retrieve API help for paths
    plugin         Interact with Vault plugins and catalog
    policy         Interact with policies
    print          Prints runtime configurations
    secrets        Interact with secrets engines
    ssh            Initiate an SSH session
    token          Interact with tokens

3. Start vault server in dev mode
$ vault server -dev
4. When you start vault server, you will get 'Unseal key' and 'Root token' values. Keep it somewhere (don't loose it)
5. Open new terminal session and execute below command
export VAULT_ADDR='http://127.0.0.1:8200'
$ export VAULT_TOKEN="s.XmpNPoi9sRhYtdKHaQhkHP6x" (paste your root-token value)
6. Verify vault server is running
$ vault status
If you see output similar to below, its confirmed vault server is running.
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.8.2
Storage Type    inmem
Cluster Name    vault-cluster-4588bfe8
Cluster ID      685107f8-0aa1-cdff-fafe-36c40fe7b280
HA Enabled      false
7. Next, create secret in vault. (Remember this secret and your ansible-vault password should be same)
$ vault kv put secret/ansiblepwd ansivault=**** (ansible-vault password, Eg : qwert1234)
8. You can confirm if secret is successfully created by vault get kv command
$ vault kv get secret/ansiblepwd
====== Metadata ======
Key              Value
---              -----
created_time     2021-09-22T19:20:00.874133318Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key          Value
---          -----
ansivault    qwert1234

9. You can get only password value by using field paramater
    vault kv get -field=ansivault secret/ansible
10. Next create executable python script and place this command in that script.
    $ touch readPassword.py
Content of script :
#!/usr/bin/env python
import os
passwd='vault kv get -field=ansivault secret/ansible'
os.system(passwd)

$ chmod +x readPassword.py
11. Next run ansible-playbook command with this python script as input to vault-passwd-file
$ ansible-playbook -i inventory sample.yml --vault-password-file ~/<path to python script>/readPasswd.py
Voila!!!... done
PLAY [all] ***********************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
[ some output]

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
ec2-18-212-180-131.compute-1.amazonaws.com : ok=1    changed=0    reachable=1    failed=0    skipped=0    rescued=0    ignored=0   
ec2-54-175-133-129.compute-1.amazonaws.com : ok=1    changed=0    reachable=1    failed=0    skipped=0    rescued=0    ignored=0  

 

Comments

Post a Comment

Popular posts from this blog

OSB-12C : XA Transactional Support feature

-
Image
OSB 12c supports both XA as well as Non-XA transactions. An XA transaction is a "global transaction" that may span multiple resources. It involves a coordinating transaction manager, with one or more databases (or other resources, like JMS) all involved in a single global transaction. XA transactions come from the X/Open group specification on distributed, global transactions. JTA includes the X/Open XA spec, in modified form. XA gets involved when you want to work with multiple resources - 2 or more databases, a database and a JMS connection, all of those plus maybe a JCA resource - all in a single transaction. In this scenario, you'll have an app server like WebSphere or Weblogic or JBoss acting as the Transaction Manager, and your various resources (Oracle, Sybase, IBM MQ JMS, SAP etc) acting as transaction resources.  Your code can then update/delete/publish/whatever across the many resources. When you say "commit", the results are committe...
Read more

Static code analysis of Terraform .tf files using ‘Checkov’ — Secure your infrastructure

-
Image
  Hands on shelf! We can all agree that Terraform is great tool for infrastructure creation and provisioning. When we write terraform .tf files for infra creation we might miss something and we add something which can lead to security issues. Security should be prime factor for any devops related use-case. When I was searching internet for is there any tool which will scan terraform files and give a picture what may go wrong (from security perspective), I came across this very useful tool named ‘Checkov’ Link :  https://www.checkov.io/1.Welcome/Quick%20Start.html Checkov is a   static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations that may lead to security or compliance problems. Checkov includes more than 750 predefined policies to check for common misconfiguration issues. In this post, I am going to discuss how to do static code analysis of terraform tf files using checkov. step 1 : Install checkov in your machine. $ pip install...
Read more

OSB12c : Schema Validation - Dynamic Validation

-
Image
We can use validate node in OSB to validate schema. There was an option to validate the payload in OSB 11g but it was static, however from 12c there is a new feature included in the OSB validation activity that is validating the data dynamically. This will allow the user to validate the input data or other data dynamically based on certain condition. Thus the process can be stopped at the beginning itself the data validation goes wrong. You have the option to save the validation result or raise an error. Use case: 1. Create a WSDL based service 2. Add validate (dynamic) to validate incoming request structure. 3. If any violation in request structure compared with schema, Error will be raised with proper error code and description. Create new folder and name it as ‘DynamicValidateSchema_UseCase’. Create sub folders structure as shown in below image. For this use case we have created two XSDs and placed it inside Resources -> XSD folder EmployeeDetailsReq...
Read more