Upload File

managing sensitive data with ansible vault

22
Managing sensitive data with Ansible vault

Upload: pascal-stauffer

Post on 14-Apr-2017

62 views

Category:

Technology


2 download

Report

TRANSCRIPT

Page 1: Managing sensitive data with Ansible vault

Managing sensitive data with Ansible vault

Page 2: Managing sensitive data with Ansible vault

IntroductionAbout me and our company

Page 3: Managing sensitive data with Ansible vault

About Me

Page 4: Managing sensitive data with Ansible vault

2010

x5x1

Automation

About Us

Page 5: Managing sensitive data with Ansible vault

What we offer

• Linux & AIX consulting with DevOps experience • Infrastructure Automation • official Ansible Partner • consulting & training for Ansible, Python & git

Page 6: Managing sensitive data with Ansible vault

Ansible Vaultgetting started

Page 7: Managing sensitive data with Ansible vault

What is Ansible vault

Vault is a feature of ansible that allows keeping

sensitive data such as passwords or keys in

encrypted files, rather than as plaintext in your

playbooks or roles.

Page 8: Managing sensitive data with Ansible vault

Tech Specs

• Binary included in the Ansible core package • AES-256 algorithm encrypted • Decrypted on runtime• Limitation: one Vault password per Ansible playbook

Page 9: Managing sensitive data with Ansible vault

getting started

ansible-vault <option>

create Create new encrypted file

encrypt Encrypt existing file

edit Edit encrypted file

rekey Change encryption password

view View encrypted file

Page 10: Managing sensitive data with Ansible vault

How to use it

1. Create ansible-vault variable file

2. Use it in your Ansible Project

3. Run ansible / ansible-playbook with • --ask-vault-pass Option• or define a password file

• define in ansible.cfg vault_password_file path • --vault-password-file Option • as variable ANSIBLE_VAULT_PASSWORD_FILE

Page 11: Managing sensitive data with Ansible vault

What can be encrypted

• encrypt YAML files ‣ e.g. group_vars ‣ e.g. host_vars

• since Ansible v2.3 single encrypted variables• use the !vault tag

Page 12: Managing sensitive data with Ansible vault

What should be encrypted

• sensitive data for automated deployments ‣ SSL private keys ‣ SSH private keys ‣ secrets / credentials

Page 13: Managing sensitive data with Ansible vault

Tips & Tricksmake your life easier

Page 14: Managing sensitive data with Ansible vault

Define your variables

• layer of indirection• prefix your variables vault_<variablename> • save variables into vault files or directories

implicit

group_vars/dev/vault.yml

group_vars/prod/vault.yml

explicit

vault_vars/dev.yml

vault_vars/prod.ymlvs

Page 15: Managing sensitive data with Ansible vault

Best Practices

• set ”no_log: true” per task • use different passwords per environments• only encrypt sensitive data• use a strong encryption password• always use a private git repo / restrict access

Page 16: Managing sensitive data with Ansible vault

Are we safe now?

• technically could be still compromised• what pushed to git, stays on git• secure your password file

• owner & file permissions • outside the git repo / .gitignore

Page 17: Managing sensitive data with Ansible vault

Demo

Page 18: Managing sensitive data with Ansible vault

managing SSL private keysuse case

Page 19: Managing sensitive data with Ansible vault

managing database credentialsuse case

Page 20: Managing sensitive data with Ansible vault

single encrypted variableshort demo

Page 21: Managing sensitive data with Ansible vault

confirm IT solutionsRathausstrasse 14 6340 Baar

The EndThank you for listening

pstauffer8 confirm.ch

blog.confirm.chpstauffer

https://www.xing.com/profile/Pascal_Stauffer

https://www.linkedin.com/in/pascal-stauffer-5030775b

http://confirm.ch
http://blog.confirm.ch
https://www.xing.com/profile/Pascal_Stauffer
https://www.linkedin.com/in/pascal-stauffer-5030775b
Page 22: Managing sensitive data with Ansible vault

Source

• http://docs.ansible.com/ansible/

playbooks_best_practices.html#variables-and-vaults • https://blog.confirm.ch/deploying-ssl-private-keys-with-ansible • http://docs.ansible.com/ansible/playbooks_vault.html • http://docs.ansible.com/ansible/playbooks_vault.html#single-

encrypted-variable

http://docs.ansible.com/ansible/playbooks_best_practices.html#variables-and-vaults
http://docs.ansible.com/ansible/playbooks_best_practices.html#variables-and-vaults
https://blog.confirm.ch/deploying-ssl-private-keys-with-ansible
http://docs.ansible.com/ansible/playbooks_vault.html
http://docs.ansible.com/ansible/playbooks_vault.html#single-encrypted-variable
http://docs.ansible.com/ansible/playbooks_vault.html#single-encrypted-variable

made with Operators Ansible Kubernetes › ... › Ansible_Operator_CERN_2019.pdf · 2019-12-01 · Design Overview Ansible Operator Operator SDK Ansible Playbook or Role Ansible

Ansible Tower Administration Guide - Ansible Documentation · Ansible Tower Administration Guide, Release Ansible Tower 3.4.1 Ansible Tower counts Managed Nodes by the number of hosts

Ansible Tower Administration Guide · Ansible Tower Administration Guide, Release Ansible Tower 3.0 Thank you for your interest in Ansible Tower by Red Hat. Ansible Tower is a commercial

Systems & Software Engineering Mission Support · Systems & Software Engineering Mission Support. Company Overview 2 ... Tools: Chef, Terraform, Vault, Puppet, Ansible, CloudFormation,

はじめてのAnsible Tower - Red Hatpeople.redhat.com/kfujii/cc2019/R305S4_RHC_2019_Ansible...Monitoring HashiCorp Vault Logging MonitoringMonitoring Prometheus 14 Ansible Towerとは

Introduction to Ansible Collections › 2020 › schedule › event › ansible...Introduction to Ansible Collections Ganesh Nalawade Principal Software Engineer Ansible Engineering

Ansible Grundlagen - chemnitzer.linux-tage.de · 16.03.18 Ansible Grundlagen - Christian Frost 3 / 26 Inhalte Konfigurationsmanagement Warum Ansible? Installation von Ansible Inventory

ANSIBLE michaellessard Introduction à Ansible - atelier ... · 3 RHUG Ansible Workshop ORDRE DU JOUR Formation Ansible Introduction à Ansible Variables Ansible + LABO Commande Ansible

Ansible Tower Introduction to Ansible Engine and

Introduction to Ansible - Tetranoodletetranoodle.com/.../uploads/2017/11/Module-02_Ansible.pdfAnsible Introduction Ansible Playbook YAML Ansible Installation and Configuration Ansible

Ansible 101 - Presentation at Ansible STL Meetup

Ansible Tower Administration Guide Release Ansible Tower 2.4.3

Secure Sensitive Data With Mule Credentials Vault

Ansible Tower User Guide - Ansible Documentation...Ansible Tower User Guide, Release Ansible Tower 2.2.2 Thank you for your interest in Ansible Tower, the open source IT orchestration

Ansible Tower Release Notes · Ansible Tower Release Notes, Release Ansible Tower 3.0.3 Thank you for your interest in Ansible Tower by Red Hat. Ansible Tower is a commercial offering

Ansible Tower Upgrade and Migration · 2017. 7. 20. · Ansible Tower Upgrade and Migration, Release Ansible Tower 3.1.0 Thank you for your interest in Ansible Tower by Red Hat. Ansible

docker / ansible : convergence avec ansible-container · 2016. 12. 9. · 1 INCLUDE 2016 Informatique scientifique à Besançon docker / ansible : convergence avec ansible-container

Ansible Tower Administration Guide...Ansible Tower Administration Guide, Release Ansible Tower 3.1.1 Thank you for your interest in Ansible Tower by Red Hat. Ansible Tower is a commercial

Ansible Tower Release Notes · Ansible Tower Release Notes, Release Ansible Tower 3.0 Thank you for your interest in Ansible Tower by Red Hat. Ansible Tower is a commercial offering

Ansible v2 and Beyond (Ansible NYC Meetup)

Debug, optimization, vault Ansible - Agenda (Indico)

Ansible Best Practices · Ansible Best Practices. 2 GENERAL TIPS TO USE ANSIBLE How to use. Treat your Ansible content like code AUTOMATION IS CODE 3 Version control your Ansible

Docker / Ansible : convergence avec Ansible Container · 1 MATHRICE 2017 Besançon Docker / Ansible : convergence avec Ansible Container Retour d’expérience sur la dockérisation

Ansible Intro - June 2015 / Ansible Barcelona User Group

Ansible Tower Introduction to Ansible Engine and · application environments in Ansible Playbooks. Ansible Engine is a supported product built from the Ansible community project

Red Hat OpenStack Platform 16 · ansible-config_template ASL 2.0 ansible-pacemaker ASL 2.0 ansible-role-atos-hsm ASL 2.0 ansible-role-chrony ASL 2.0 ansible-role-container-registry

Ansible Tower Release Notes - Ansible Documentationdocs.ansible.com/ansible-tower/3.0.3/pdf/AnsibleTowerReleaseNotes… · Ansible Tower Release Notes, Release Ansible Tower 3.0.3

Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)

IT Automation with Ansible-Tower : Introduction to Ansible & Ansible Tower

Bootstrapping Ansible Documents/Ansible_Bootstrap.pdf · Installation vom Satellite + Ansible direkt vom Tower Ansible via Puppet - von Ansible Tower - mit ansible-pull Ansible direkt

Ansible at Scale - Meetupfiles.meetup.com/17312132/Ansible IL - Ansible at scale.pdf · Ansible at Scale Ansible Israel, May 9, 2016 David Melamed Senior Research Engineer, CTO Office,

Ansible 2 and Ansible Galaxy 2

10/29 Austin Ansible MeetUp - AnsibleFest Talk & Extending Ansible

Ansible Tower Release Notes · 2017-07-20 · Ansible Tower Release Notes, Release Ansible Tower 3.0.2 Thank you for your interest in Ansible Tower by Red Hat. Ansible Tower is a

Ansible Tower Administration Guide - Ansible Documentation · The Ansible Tower Administration Guide documents the administration of Ansible Tower through custom scripts, man-agement