Pages

Monday, February 22, 2016

Ansible vault

Share it Please
While working with automation it is necessary to have a secure system to store various details like Password, variable, SSH keys etc. Ansible does provide a facility called vault which helps sys admin to store sensitive data and use the vault while running playbooks on remote machines. In this article we will how we can use Ansible vault in securing things. We will be seeing on how

1) To encrypt data using Vault
2) Using Ansible valut while running Playbooks

While using Ansible as a configuration management system or a orchestration engine, it is necessary to pass certain data like passwords, keys etc to run the playbooks. These details can be common most times and used multiple times. An automated system that prompts the operator for passwords all the time is not very efficient. To maximize the power of Ansible, secret data has to be written to a file that Ansible can read and utilize the data from within. Though they are stored on the vault we can have these hacked.

For these ansible provides a facility to protect your data at rest. That facility is Vault, which allows for encrypting text files so that they are stored "at rest" in encrypted format. Without the key or a significant amount of computing power, the data is indecipherable.ansible-vault command is provided by Ansible in securing things

Encrypt Data
1) Create a Sample file to encrypt

[root@vx111a vault]# ansible-vault create sample_passwd.yml
Vault password:
Confirm Vault password:

We created a file sample_passwd.yml file which will ask for vault password. If we check the file type and contents,

[root@vx111a vault]# file sample_passwd.yml
sample_passwd.yml: ASCII text

[root@vx111a vault]# cat sample_passwd.yml
$ANSIBLE_VAULT;1.1;AES256
31643134323761626464336334333461636135656435333161636538326132356166303536353838
3661376665336163613139613836313765633836333838320a626262323565653837363735336163
36396639336239383566306439396262383965623338613664383434663765366639636534393634
6239376138303763610a363165323630326231626334633931323732316564316135643033383730
62666630333233366234633366623331326266633932363166656130373164333335

We see that the file is a ASCII file with encrypted contents.

2) Edit the Encrypted file to change the conents of the file
 In Oder to edit the encypted file, we need touse the edit command with the valut.
[root@vx111a vault]# ansible-vault edit sample_passwd.yml
Vault password:

When you try to edit the conents, it will ask for the vault password.

3) Decypt the file contents
[root@vx111a vault]# ansible-vault decrypt sample_passwd.yml
Vault password:
Decryption successful

Once decrypted we can see the conents of the file as,
[root@vx111a vault]# cat sample_passwd.yml
password: vagrant

We can then use the encrypt command to encypt the contents again as,
[root@vx111a vault]# ansible-vault encrypt sample_passwd.yml
Vault password:
Confirm Vault password:
Encryption successful

Ansible does also provide the rekey facility to change the valut password using
[root@vx111a vault]# ansible-vault rekey sample_passwd.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful

Using vault with Playbooks
Until now we have seen how we can use the Ansible vault in encrypting data. Its no use when the data is encrypted and not being used.  Now we will see how we pass the encrypted data to the Ansible playbooks while running on remote machine.

1) Create a sample yml file with 2 variables as
[root@vx111a vault]# cat main.yml
version: 8.0.32
http_port: 8084

Now encrypt the file using the Ansible-vault,

[root@vx111a vault]# ansible-vault decrypt main.yml
Vault password:
Decryption successful

Check the encryption
[root@vx111a vault]# cat main.yml
$ANSIBLE_VAULT;1.1;AES256
34333132653430616138313235366435613232653662653865663264346632616664666665356437
6133633063396434326538373531326231623536373465360a326334303832366530373535356334
32376162336164643561343462643063326366653039303433666439633064383364633064303939
3139663363366336610a336566353664613536643933633166356536336634363734626664363261
34373865613831646339333866613564373937326262643432353866316339306263346430643434
3030633864663837613934663166616630623966653533383733

Now once the file is encrypted write a playbook as,
[root@vx111a vault]# cat sample-playbook.yml
---
- hosts: cent
  vars_files:
     - main.yml
 
  tasks:
    - name: run echo Command
      local_action: shell echo {{ http_port }}
      register: local_process

    - debug: msg="{{ local_process.stdout }}"


Now we have written a playbook which includes the main.yml file (which is encrypted using Ansible-vault) containing the variables. When we run the playbook as

[root@vx111a vault]# ansible-playbook sample-playbook.yml
ERROR: A vault password must be specified to decrypt /work/vault/main.yml

It clearly says that we need to pass the vault password in running the playbook. The correct way to run that playbook is

[root@vx111a vault]# ansible-playbook sample-playbook.yml --ask-vault-pass
Vault password:

PLAY [cent] *******************************************************************

GATHERING FACTS ***************************************************************
ok: [172.16.202.96]

TASK: [run echo Command] ******************************************************
changed: [172.16.202.96 -> 127.0.0.1]

TASK: [debug msg="{{ local_process.stdout }}"] ********************************
ok: [172.16.202.96] => {
    "msg": "8084"
}

PLAY RECAP ********************************************************************
172.16.202.96              : ok=3    changed=1    unreachable=0    failed=0  

We can see that Ansible asks for the vault password in order to run the playbook. Once the password is provided, it run the playbook and also the Portt 8084 is replaced with values from main.yml file.

This is how we can use the Ansible valut with playbooks.

Password File
Though we provide the vault password every time while running the playbooks, there are some times with cases where we need to run the playbook with out any manual intervention. Ansible does provide an option to create a password file with the vault password and pass the file to Ansible command line as argument.

1) use the same above mail.yml file and encrypt that
[root@vx111a vault]# ansible-vault encrypt main.yml
Vault password:
Confirm Vault password:
Encryption successful

Now create a password file with password as “redhat”. Save in the home location and provide it with correct permissions.
[root@vx111a vault]# echo "redhat" >> ~/.vault_password
[root@vx111a vault]# chmod -R 600 ~/.vault_password

Now run the playbook by passing the password file as argument as,

[root@vx111a vault]# ansible-playbook sample-playbook.yml --vault-password-file ~/.vault_password

PLAY [cent] *******************************************************************

GATHERING FACTS ***************************************************************
ok: [172.16.202.96]

TASK: [run echo Command] ******************************************************
changed: [172.16.202.96 -> 127.0.0.1]

TASK: [debug msg="{{ local_process.stdout }}"] ********************************
ok: [172.16.202.96] => {
    "msg": "8084"
}

PLAY RECAP ********************************************************************
172.16.202.96              : ok=3    changed=1    unreachable=0    failed=0  

This is how we can use the Ansible vault and secure data.

17 comments :

  1. What's up i am kаvin, its my first time tօ commenting anywhere,
    when i read this articⅼe i thⲟught i could also make commеnt dᥙe t᧐ this sensible рaragrapһ.


    clіck this over һere now : How To Password Protect Folder
    With Μinimum Effort And Still Leave People Amazed

    ReplyDelete
  2. I don't even know how I ended up here, but I thought this post was good.
    I do not know whο you are but certainly you are going to a famous blogger if you aren't alreaԁy
    ;) Cheers!
    pop over to this web-site : Times Are Changing: How To Passwⲟrd
    Protect Folder New Ѕkills

    ReplyDelete
  3. I seriouѕly love your site.. Pleasant colors & theme.

    Did you develop this ѕite үourself? Please
    reply back as I'm plannіng to create mу own persοnal website and would like to find out whеre
    you ցot this from or what the theme is named. Apprеciate it!

    additiοnal resօurces : Top Ꮯhoices Of Encryрtion Software & How
    I Got Stаrted How To Encrypt A Paѕswοrd For Freeing

    ReplyDelete
  4. I гead thіs post fully regardіng the difference of newest and preceding technologies, it's amazing article.


    Gօ Here : You Knew How Ꭲo Passѡord Protect Folder But You Forgot.
    Here Is A Reminder

    ReplyDelete
  5. thanks for Providing a Good Information
    anyone want to learn advance devops tools or devops online training visit:
    DevOps Training
    DevOps Online Training
    DevOps Training institute in Hyderabad

    ReplyDelete
  6. I every time sⲣen my half an hour to reаd this webpage's articles every daay along with a mug off cⲟffee.

    ReplyDelete
  7. Ahaa, іtѕ fastidious dialogue оn the topic of thiss post at
    this plаce at this webpage, I have read alⅼ thаt, sо now me аlso commenting aat tһis рlace.

    ReplyDelete
  8. Thhiѕ is my first time payy a visit at herre and
    i am truly happy to rеad ɑll at alone place.

    ReplyDelete
  9. Aѕ the admin of this web paցe is working, no
    doubt very shortly iit will be well-known, duee to its fеature
    contents.

    ReplyDelete
  10. I useԁ too be able to fіnd gooid information from
    your content.

    ReplyDelete
  11. Іts liке you read mʏ mind! You ѕeem to кnow а
    lօt aЬout this, lіke ү᧐u wrote tһe book in it ߋr ѕomething.
    I think that you ccan ddo wіth ѕome pics to drive the message һome a little
    bit, but otһer than that, this iѕ fantastic blog. Α gгeat read.
    I'll certainlү be back.

    ReplyDelete
  12. What's up to all, how is everything, I think every
    one is getting more from this website, and your views are nice in favor of new people.

    ReplyDelete
  13. Hello mates, good article and pleasant urging commented at
    this place, I am genuinely enjoying by these.

    ReplyDelete
  14. This is the perfect website for anybody who wants to understand this topic.

    You know a whole lot its almost tough to argue with you (not that I personally will need to…HaHa).

    You certainly put a new spin on a subject which has been written about for ages.
    Great stuff, just wonderful!

    ReplyDelete
  15. Excellent web site you have got here.. It's difficult to find quality writing
    like yours nowadays. I really appreciate people like you!

    Take care!!

    ReplyDelete