Rotating Passwords with Ansible and HashiVault

Transcript

1. ROTATING PASSWORDS WITH ANSIBLE AND HASHIVAULT OUR PRACTICAL OVERVIEW OF

   SECRET MANAGEMENT BY INTEGRATING HASHICORP'S VAULT WITH ANSIBLE Keith Resar @KeithResar

2. @KeithResar Keith Resar: Bio Wear many hats @KeithResar [email protected] Coder

   Open Source Contributor and Advocate Infrastructure Architect

3. 7 PRINCIPLES OF DEVSECOPS • Humans create poor quality passwords,

   let’s generate them automatically • An automated task would allow increased password rotation frequency • Continuous deployment of password rotations would be ideal • An automated task can be tested, and will never go beyond its scope • Storing the password in a shared-secret vault is our break glass • Integrating with AD would be great, allowing seamless runtime access control • Passwords should not be stored in Git, deploy scripts, etc

4. ANSIBLE VAULT VS HASHICORP VAULT

5. ANSIBLE VAULT ENABLES STORING SENSITIVE DATA SUCH AS PASSWORDS OR

   KEYS IN ENCRYPTED FILES, RATHER THAN AS PLAINTEXT IN YOUR PLAYBOOKS OR ROLES.

6. ANSIBLE VAULT • No External dependencies • Encrypt entire files

   or individual secrets • Version control, commit alongside playbooks

7. ANSIBLE VAULT USAGE > ansible-vault {create,rekey,edit,encrypt} foo.yml > ansible-playbook foo.yml

   --ask-vault-pass

8. MOVING BEYOND ANSIBLE VAULT • Storing static information vs. Dynamic

   database • Separation of automation from secrets • Supporting password leases
9. None

10. HASHICORP VAULT PRIMER

11. HASHICORP VAULT VIA ANSIBLE

12. DEMO APPLICATION KEY ROTATION

13. DEMO SECRET LOOKUP

14. WHAT’S NEXT • Application Support • Notifications • Tests •

    External verification of secret inventory and change date

15. RESOURCES ROTATE PASSWORDS WITH ANSIBLE AND HASHIVAULT http://far-oeuf.com/.../...ansible-hashivault ANSIBLE LOOKUP

    PLUGIN FOR HV SECRETS https://github.com/jhaals/ansible-vault ANSIBLE MINNEAPOLIS MEETUP https://www.meetup.com/Ansible-Minneapolis/

16. @KeithResar @KeithResar THANKS!