HashiCorp Vault Integration with Ansible Etower using approle

HashiCorp Vault is a secrets management tool specifically designed to control access to sensitive credentials in a low-trust environment. It can be used to store sensitive values and at the same time dynamically generate access for specific services/applications on lease. 

Integrating the vault with Ansible Etower provides robust and secure automation.

Following is the step-by-step guide for the integration.


  • Enable key-value secret engine in Hashi Vault (also known as "kv" engine). Let's call the engine, the "kv" engine.



  • Create a secret inside "kv". A secret can be a collection of key-value pairs or a JSON for nested structure.
         Lets assume that secrets are stored as JSON in the format
 
{
  "my_app":{
    "service_account_name": "some_service",
    "service_account_password": "some_password"
  }
}




  • Create a secret policy defining what can be done with the above-defined secret.



  • Create an "approle". AppRole is an authentication mechanism within Vault to allow machines or apps to acquire a token to interact with Vault

> vault write auth/approle/role/test-role

  • Attach policy created above to the approle

> vault write auth/approle/role/test-role policies="my_secret_policy"

  • To access this KV pair without using your personal token requires setting up a "role_id" and a "secret_id". You can think of this combination as a username and password pair.

> vault read auth/approle/role/test-role/role-id
Key       Value
---       -----
role_id   3c48fdd3-60e0-4ab1-afd1-9e7406ce301b

> vault write -force auth/approle/role/test-role/secret-id
Key                  Value
---                  -----
secret_id            1d399f8b-19af-443d-8568-1d0793dd90f8
secret_id_accessor   46c16a28-07c4-43a1-9c5a-d7df575ac628

  • To create "role_id", you need to use commands as this support is yet not present on the graphical interface. You can set same on your local machine or use console provided on vault UI.

At this point, Hashi Vault is configured to be used with Ansible and Etower.

Lets see how to use this configuration inside ansible playbooks.

Steps for Ansible Etower.
  • Choose or create a credential type to store three parameters to be used to interact with Hashi Vault in Etower. This way you do not need to expose these secret abusable data inside your open playbooks.
    • Vault URL (There can be multiple vaults in your organization, let the variable name be "vault_server")
    • Vault "role_id"  (Let the variable name be "vault_server")
    • Vault "secret_id" for the "vault_role_id" (Let the variable name be "vault_secret_id")




  • Use the above-created credential in your Ansible template, as per the example code below.

 
- name: Hashi Corp Integration
  gather_facts: true
  hosts: localhost
  vars:
    VAULT_ADDR: '{{ lookup("env", "vault_server") }}'
    VAULT_ROLE_ID: '{{ lookup("env", "vault_role_id") }}'
    VAULT_SECRET_ID: '{{ lookup("env", "vault_secret_id") }}'
    VAULT_NS: "some/name/space/"
    VAULT_SECRET_PATH: kv/data/my_secret
    app_name: my_app
  tasks:
   - name: setting facts for vault 
     set_fact:
      VAULT_ADDR: '{{ VAULT_ADDR }}'
      VAULT_NS: '{{ VAULT_NS }}'
   - name: "Connect hashi vault at {{ VAULT_ADDR }} with namespace {{ VAULT_NS }}"
     set_fact:
       vault_details: "{{ lookup('hashi_vault','secret={{ VAULT_SECRET_PATH }} auth_method=approle role_id={{ VAULT_ROLE_ID }} secret_id={{ VAULT_SECRET_ID }} namespace={{ VAULT_NS }} url={{ VAULT_ADDR }} validate_certs=False') }}" 
     no_log: true
   - name: "Fetch app_role and password from Hashi Vault at {{ VAULT_ADDR }} and namespace {{ VAULT_NS }}"
     set_fact:
      service_account_name: "{{ vault_details.data[app_name].service_account_name }}"
      service_account_password: "{{ vault_details.data[app_name].service_account_password }}"
     no_log: true
   - name: print the password
     debug:
       msg: '{{ service_account_password }} -- {{service_account_name}} '

At this step you have retrieved secrets from Hashi Vault using Ansible, now you can use it in any way you need.

Comments

Post a Comment

Popular posts from this blog

Delete horizontal, vertical and angled lines from an image using Python to clear noise and read text with minimum errors

I was working on an algorithm to detect lines in a image. I found many solutions online, but none of them seem to work to my satisfaction. Thereafter, I decided to write an algorithm, which can work to my satisfaction. This algorithm can detect horizontal, vertical and angled lines. Following is the pseudo code of the algorithm. The implementation is in Python and it uses third party code. pix_array = Convert the image into 2D pixel array  Mono chromate the pixel array by setting values between 0-200 as 0 (black) and greater than 200 as 255(white) as  image_width = length of pix_array[0] image_height = length of pix_array Loop through pix_array, i.e. 1 pixel high horizontal slice of image: h = x coordinate of current pixel k = y coordinate of current pixel choose a value of radius as r draw a circle taking h,k as center using equation (X-h)^2 + (Y-k)^2 = r^2 derive values of X and Y and check if pix_arrY[X][Y] is black (0) if black add them to possible line c...
Read more

Java Currency Formatter Changing $ to ¤

 Java currency formatting problem. Following code shows the conditions when the currency symbol is replaced by an alt currency symbol. public class Test { public static void main(String[] args){ double num = 1323.526; Locale eng = new Locale("", ""); NumberFormat engFormat = NumberFormat.getCurrencyInstance(eng); System.out.println(engFormat.format(num)); eng = new Locale("en", ""); engFormat = NumberFormat.getCurrencyInstance(eng); System.out.println(engFormat.format(num)); eng = new Locale("en", "en_US"); engFormat = NumberFormat.getCurrencyInstance(eng); System.out.println(engFormat.format(num)); eng = new Locale("", "US"); engFormat = NumberFormat.getCurrencyInstance(eng); System.out.println(engFormat.format(num)); eng = new Locale(...
Read more

Caused by: java.sql.SQLTimeoutException: ORA-01013: user requested cancel of current operation

Many times we encounter this error and think that there might be some JPA issue or network issue. However, the error is pretty explicit in its nature, but still not clear to ring the bell very first time. As the error says there is a timeout, and since Oracle is saying, we shall accept it. Another clue is "user requested cancel of current operation". This means that the connection was closed by the application server not the database server, hence it can be safely concluded that application has configured timeouts on transactions at its end. However, if you feel that this transaction should have been concluded within the application server limits, your doubt might be true. This problem can arise in case there is a lock on the record being updated by JPA or lock on the table in which JPA is attempting to insert. The lock is most probably being held by some other application, and since application server configuration is on aggressive SLA, the transaction is waiting its...
Read more