Nearly every web application or server configuration you provision with Ansible is going to have some form of sensitive information. It could be the credentials for your database server, user account information, or possibly the private keys to a secure system. How do you protect your data from prying eyes? You use vaults.
In this tutorial, I will first show you how to use Ansible Vault to encrypt your data using AES256 cryptography. This is a relatively safe way to secure your sensitive data from prying eye, and it’s a good start for anyone introducing themselves to Ansible.
After learning Ansible Vault we are going to dive into Hashicorp Vault, which is a more secure method of storing your secrets.
Ansible Vault
Working with Encrypted Files
Creating an Encrypted File
The create command of Ansible Vault allows us to create a new, blank file that will be protected
ansible-vault create my-secrets
Encrypt an Existing File
ansible-vault encrypt my-secrets
Editing an Encrypted File
ansible-vault edit my-secrets
Using Encrypted files with your Ansible Playbook
At some point, our secure information is going to need to be pulled from the encrypted file. Let’s take a look at how we can extract our information from our vault and use it in our playbooks.
Hashicorp Vault
The problem with using Ansible Vault is that your encrypted data is likely going to be stored alongside your playbooks in a version control system. This introduces quite a bit of risk since it could allow those who shouldn’t have access to your sensitive data to be able to download the file.
NOW, AES256 is a really strong encryption by today’s standards. The likelihood someone could brute-force an AES256 encrypted file before the end of the universe is highly improbable. However, a poor implementation of AES256 could introduce a fault in the encryption, making it easy to decrypt upon discovery. That’s something you should keep in mind when storing encrypted data locally.
A far more secure solution is to use an external vault to protect your sensitive data. While it still uses AES256, the data resides off host, which is a huge improvement to security. Hashicorp Vault is a service that allows us to store key-pair data safely away from our playbooks. We can then pull our secrets from the vault when we are doing our provision or deployments.
Requirement
Ansible cannot access Hashicorp Vaults out of the box. You will need the following Python modules installed to interact with your vaults.
- hvac
- hvac[parser]
Adding a Vault query to your playbook
We’ll to perform a lookup against our vault through the debug module. The output will then be registered as a variable that we can use throughout our playbook.
---
- hosts: all
become: true
vars:
db_user: "{{ lookup('hashi_vault', 'secret=serverlab/db_user:value token=c30aa90a-06a8-680d-8bd1-a43181c3b77c url=https://vault.server:8200')}}"
db_pass: "{{ lookup('hashi_vault', 'secret=serverlab/db_user:value token=c30aa90a-06a8-680d-8bd1-a43181c3b77c url=https://vault.server:8200')}}"
tasks:
- name: Deploy application
git:
repo: github.com/example/my-application.git
- name: Configure webapp
copy:
dest: "/srv/my-application/configuration
content: "db_user: {{db_user}}\ndb_pass: {{db_pass}}"
owner: appuser
group: appuser
mode: 0600
In the example playbook above we use lookups to register two variables — db_user and db_pass. These lookups query our Hashicorp Vault server and retrieve the values of the secrets we have stored.
Ansible Vault vs Hashicrop Vault
We’ve shown you two methods of protecting your secrets, but which one should you use? That largely depends on your environment and how secure you need your data to be.
