How to Secure your Ansible Secrets using Vaults

Nearly every web application or server configuration you provision with Ansible is going to have some form of sensitive information. It could be the credentials for your database server, user account information, or possibly the private keys to a secure system. How do you protect your data from prying eyes? You use vaults.

In this tutorial, I will first show you how to use Ansible Vault to encrypt your data using AES256 cryptography. This is a relatively safe way to secure your sensitive data from prying eye, and it’s a good start for anyone introducing themselves to Ansible.

After learning Ansible Vault we are going to dive into Hashicorp Vault, which is a more secure method of storing your secrets.

Ansible Vault

Working with Encrypted Files

Creating an Encrypted File
The create command of Ansible Vault allows us to create a new, blank file that will be protected

ansible-vault create my-secrets

Encrypt an Existing File

ansible-vault encrypt my-secrets

Editing an Encrypted File

ansible-vault edit my-secrets

Using Encrypted files with your Ansible Playbook

At some point, our secure information is going to need to be pulled from the encrypted file. Let’s take a look at how we can extract our information from our vault and use it in our playbooks.

Hashicorp Vault

The problem with using Ansible Vault is that your encrypted data is likely going to be stored alongside your playbooks in a version control system. This introduces quite a bit of risk since it could allow those who shouldn’t have access to your sensitive data to be able to download the file.

NOW, AES256 is a really strong encryption by today’s standards. The likelihood someone could brute-force an AES256 encrypted file before the end of the universe is highly improbable. However, a poor implementation of AES256 could introduce a fault in the encryption, making it easy to decrypt upon discovery. That’s something you should keep in mind when storing encrypted data locally.

A far more secure solution is to use an external vault to protect your sensitive data. While it still uses AES256, the data resides off host, which is a huge improvement to security. Hashicorp Vault is a service that allows us to store key-pair data safely away from our playbooks. We can then pull our secrets from the vault when we are doing our provision or deployments.

Requirement

Ansible cannot access Hashicorp Vaults out of the box. You will need the following Python modules installed to interact with your vaults.

  • hvac
  • hvac[parser]

Adding a Vault query to your playbook

We’ll to perform a lookup against our vault through the debug module. The output will then be registered as a variable that we can use throughout our playbook.

---
- hosts: all
  become: true
  vars:
    db_user: "{{ lookup('hashi_vault', 'secret=serverlab/db_user:value token=c30aa90a-06a8-680d-8bd1-a43181c3b77c url=https://vault.server:8200')}}"
    db_pass: "{{ lookup('hashi_vault', 'secret=serverlab/db_user:value token=c30aa90a-06a8-680d-8bd1-a43181c3b77c url=https://vault.server:8200')}}"

  tasks:
    - name: Deploy application
      git:
        repo: github.com/example/my-application.git

    - name: Configure webapp
      copy:
        dest: "/srv/my-application/configuration
        content: "db_user: {{db_user}}\ndb_pass: {{db_pass}}"
        owner: appuser
        group: appuser
        mode: 0600

In the example playbook above we use lookups to register two variables — db_user and db_pass. These lookups query our Hashicorp Vault server and retrieve the values of the secrets we have stored.

Ansible Vault vs Hashicrop Vault

We’ve shown you two methods of protecting your secrets, but which one should you use? That largely depends on your environment and how secure you need your data to be.