×
Copy
Open
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
AnsibleBenelux 2018/9/19
Slide 2
Slide 2 text
WiFi: visitorswifi
Slide 3
Slide 3 text
WiFi: visitorswifi No password
Slide 4
Slide 4 text
#AnsibleBenelux
Slide 5
Slide 5 text
Secrets in Ansible Provisioning machines with passwords, API tokens and other secrets without getting a headache
Slide 6
Slide 6 text
AWS Cloud
Slide 7
Slide 7 text
AWS Cloud Google Cloud
Slide 8
Slide 8 text
Shared Resource AWS Cloud Google Cloud
Slide 9
Slide 9 text
Shared Resource AWS Cloud Google Cloud
Slide 10
Slide 10 text
Shared Resource AWS Cloud Google Cloud Customer Datacenter
Slide 11
Slide 11 text
Shared Resource AWS Cloud Google Cloud Azure Cloud Customer Datacenter
Slide 12
Slide 12 text
Shared Resource AWS Cloud Google Cloud Shared Resource Azure Cloud Customer Datacenter
Slide 13
Slide 13 text
Shared Resource AWS Cloud Google Cloud Shared Resource Azure Cloud Customer Datacenter
Slide 14
Slide 14 text
Shared Resource AWS Cloud Google Cloud Shared Resource Azure Cloud Customer Datacenter
Slide 15
Slide 15 text
Shared Resource AWS Cloud Google Cloud Shared Resource Azure Cloud Customer Datacenter DevOps
Slide 16
Slide 16 text
Shared Resource AWS Cloud Google Cloud Shared Resource Azure Cloud Customer Datacenter DevOps Admins
Slide 17
Slide 17 text
Shared Resource AWS Cloud Google Cloud Shared Resource Azure Cloud Customer Datacenter DevOps Admins Outside Contractors
Slide 18
Slide 18 text
Azure Cloud Azure Cloud Shared Resource Shared Resource Customer Datacenter Shared Resource AWS Cloud Google Cloud Google Cloud Shared Resource Customer Datacenter AWS Cloud Shared Resource AWS Cloud Google Cloud Shared Resource Azure Cloud Customer Datacenter DevOps Admins Outside Contractors
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
Marc Mackenbach
[email protected]
@marcmackenbach mackenbach SecretHub
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
ansible-vault
Slide 23
Slide 23 text
ansible-vault Vault is a built-in feature of Ansible that helps users to encrypt vars with a password.
Slide 24
Slide 24 text
team_vault.yml DevOps p3pp3r0ni_pizz4
Slide 25
Slide 25 text
team_vault.yml DevOps p3pp3r0ni_pizz4 admins_vault.yml Admins bi9d4ddy
Slide 26
Slide 26 text
--- - hosts: db_servers tasks: - include_vars: admin_vault.yml - include_vars: dev_vault.yml - name: "Create a database user for the app" postgresql_user: db: app name: "{{ db_user }}" password: "{{ db_pass }}" login_user: "{{ root_user }}" login_password: "{{ root_pass }}" state: present priv: characters:select - hosts: web_servers tasks: - include_vars: dev_vault.yml - name: "Start the app with secrets" shell: "server" environment: DB_HOST: "{{ db_server }}" DB_NAME: app DB_USER: "{{ db_user }}" DB_PASSWORD: "{{ db_pass }}" SLACK_TOKEN: "{{ slack_token }}"
Slide 27
Slide 27 text
--- - hosts: db_servers tasks: - include_vars: admin_vault.yml - include_vars: dev_vault.yml - name: "Create a database user for the app" postgresql_user: db: app name: "{{ db_user }}" password: "{{ db_pass }}" login_user: "{{ root_user }}" login_password: "{{ root_pass }}" state: present priv: characters:select - hosts: web_servers tasks: - include_vars: dev_vault.yml - name: "Start the app with secrets" shell: "server" environment: DB_HOST: "{{ db_server }}" DB_NAME: app DB_USER: "{{ db_user }}" DB_PASSWORD: "{{ db_pass }}" SLACK_TOKEN: "{{ slack_token }}" admin_vault.yml dev_vault.yml
Slide 28
Slide 28 text
Admin runs playbook
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
Dev runs playbook
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
team_vault.yml DevOps p3pp3r0ni_pizz4 admins_vault.yml Admins bi9d4ddy
Slide 33
Slide 33 text
team_vault.yml DevOps p3pp3r0ni_pizz4 admins_vault.yml Admins bi9d4ddy external_vault.yml Outside Contractors f1yin9_dutchm4n
Slide 34
Slide 34 text
team_vault.yml DevOps p3pp3r0ni_pizz4 admins_vault.yml Admins bi9d4ddy external_vault.yml Outside Contractors f1yin9_dutchm4n
Slide 35
Slide 35 text
Writing is manual
Slide 36
Slide 36 text
No content
Slide 37
Slide 37 text
People leave
Slide 38
Slide 38 text
Rotate all secrets
Slide 39
Slide 39 text
SecretHub
Slide 40
Slide 40 text
Ansible Module SecretHub
Slide 41
Slide 41 text
--- - hosts: db_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read database root user" secrethub_read: path: ansible-demo/infra/postgres/root_user register: db_root_user - name: "Read database root password" secrethub_read: path: ansible-demo/infra/postgres/root_pass register: db_root_pass - name: "Generate a database username for the app" secrethub_generate: path: ansible-demo/infra/app/db_user register: db_user - name: "Generate a database password for the app" secrethub_generate: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Create a database user for the app" postgresql_user: db: app name: "{{ db_user.secret }}" password: "{{ db_pass.secret }}" login_user: "{{ db_root_user.secret }}" login_password: "{{ db_root_pass.secret }}" state: present priv: characters:select - hosts: web_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read the app's database user" secrethub_read: path: ansible-demo/infra/app/db_user register: db_user - name: "Read the app's database password" secrethub_read: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Read the app's slack_token" secrethub_read: path: ansible-demo/infra/app/slack_token register: slack_token - name: "Start the app with secrets" shell: "server" environment: DB_HOST: "{{ db_server }}" DB_NAME: app DB_USER: "{{ db_user.secret }}" DB_PASSWORD: "{{ db_pass.secret }}" SLACK_TOKEN: "{{ slack_token.secret }}"
Slide 42
Slide 42 text
--- - hosts: db_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read database root user" secrethub_read: path: ansible-demo/infra/postgres/root_user register: db_root_user - name: "Read database root password" secrethub_read: path: ansible-demo/infra/postgres/root_pass register: db_root_pass - name: "Generate a database username for the app" secrethub_generate: path: ansible-demo/infra/app/db_user register: db_user - name: "Generate a database password for the app" secrethub_generate: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Create a database user for the app" postgresql_user: db: app name: "{{ db_user.secret }}" password: "{{ db_pass.secret }}" login_user: "{{ db_root_user.secret }}" login_password: "{{ db_root_pass.secret }}" state: present priv: characters:select - hosts: web_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read the app's database user" secrethub_read: path: ansible-demo/infra/app/db_user register: db_user - name: "Read the app's database password" secrethub_read: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Read the app's slack_token" secrethub_read: path: ansible-demo/infra/app/slack_token register: slack_token - name: "Start the app with secrets" shell: "server" environment: DB_HOST: "{{ db_server }}" DB_NAME: app DB_USER: "{{ db_user.secret }}" DB_PASSWORD: "{{ db_pass.secret }}" SLACK_TOKEN: "{{ slack_token.secret }}" secrethub_cli
Slide 43
Slide 43 text
--- - hosts: db_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read database root user" secrethub_read: path: ansible-demo/infra/postgres/root_user register: db_root_user - name: "Read database root password" secrethub_read: path: ansible-demo/infra/postgres/root_pass register: db_root_pass - name: "Generate a database username for the app" secrethub_generate: path: ansible-demo/infra/app/db_user register: db_user - name: "Generate a database password for the app" secrethub_generate: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Create a database user for the app" postgresql_user: db: app name: "{{ db_user.secret }}" password: "{{ db_pass.secret }}" login_user: "{{ db_root_user.secret }}" login_password: "{{ db_root_pass.secret }}" state: present priv: characters:select - hosts: web_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read the app's database user" secrethub_read: path: ansible-demo/infra/app/db_user register: db_user - name: "Read the app's database password" secrethub_read: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Read the app's slack_token" secrethub_read: path: ansible-demo/infra/app/slack_token register: slack_token - name: "Start the app with secrets" shell: "server" environment: DB_HOST: "{{ db_server }}" DB_NAME: app DB_USER: "{{ db_user.secret }}" DB_PASSWORD: "{{ db_pass.secret }}" SLACK_TOKEN: "{{ slack_token.secret }}" secrethub_read
Slide 44
Slide 44 text
--- - hosts: db_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read database root user" secrethub_read: path: ansible-demo/infra/postgres/root_user register: db_root_user - name: "Read database root password" secrethub_read: path: ansible-demo/infra/postgres/root_pass register: db_root_pass - name: "Generate a database username for the app" secrethub_generate: path: ansible-demo/infra/app/db_user register: db_user - name: "Generate a database password for the app" secrethub_generate: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Create a database user for the app" postgresql_user: db: app name: "{{ db_user.secret }}" password: "{{ db_pass.secret }}" login_user: "{{ db_root_user.secret }}" login_password: "{{ db_root_pass.secret }}" state: present priv: characters:select - hosts: web_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read the app's database user" secrethub_read: path: ansible-demo/infra/app/db_user register: db_user - name: "Read the app's database password" secrethub_read: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Read the app's slack_token" secrethub_read: path: ansible-demo/infra/app/slack_token register: slack_token - name: "Start the app with secrets" shell: "server" environment: DB_HOST: "{{ db_server }}" DB_NAME: app DB_USER: "{{ db_user.secret }}" DB_PASSWORD: "{{ db_pass.secret }}" SLACK_TOKEN: "{{ slack_token.secret }}" secrethub_generate
Slide 45
Slide 45 text
--- - hosts: db_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read database root user" secrethub_read: path: ansible-demo/infra/postgres/root_user register: db_root_user - name: "Read database root password" secrethub_read: path: ansible-demo/infra/postgres/root_pass register: db_root_pass - name: "Generate a database username for the app" secrethub_generate: path: ansible-demo/infra/app/db_user register: db_user - name: "Generate a database password for the app" secrethub_generate: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Create a database user for the app" postgresql_user: db: app name: "{{ db_user.secret }}" password: "{{ db_pass.secret }}" login_user: "{{ db_root_user.secret }}" login_password: "{{ db_root_pass.secret }}" state: present priv: characters:select - hosts: web_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read the app's database user" secrethub_read: path: ansible-demo/infra/app/db_user register: db_user - name: "Read the app's database password" secrethub_read: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Read the app's slack_token" secrethub_read: path: ansible-demo/infra/app/slack_token register: slack_token - name: "Start the app with secrets" shell: "server" environment: DB_HOST: "{{ db_server }}" DB_NAME: app DB_USER: "{{ db_user.secret }}" DB_PASSWORD: "{{ db_pass.secret }}" SLACK_TOKEN: "{{ slack_token.secret }}"
.secret
Slide 46
Slide 46 text
--- - hosts: db_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read database root user" secrethub_read: path: ansible-demo/infra/postgres/root_user register: db_root_user - name: "Read database root password" secrethub_read: path: ansible-demo/infra/postgres/root_pass register: db_root_pass - name: "Generate a database username for the app" secrethub_generate: path: ansible-demo/infra/app/db_user register: db_user - name: "Generate a database password for the app" secrethub_generate: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Create a database user for the app" postgresql_user: db: app name: "{{ db_user.secret }}" password: "{{ db_pass.secret }}" login_user: "{{ db_root_user.secret }}" login_password: "{{ db_root_pass.secret }}" state: present priv: characters:select - hosts: web_servers environment: SECRETHUB_CREDENTIAL: "{{ lookup('env', 'SECRETHUB_CREDENTIAL') }}" tasks: - name: "Ensure the SecretHub CLI is installed" secrethub_cli: - name: "Read the app's database user" secrethub_read: path: ansible-demo/infra/app/db_user register: db_user - name: "Read the app's database password" secrethub_read: path: ansible-demo/infra/app/db_pass register: db_pass - name: "Read the app's slack_token" secrethub_read: path: ansible-demo/infra/app/slack_token register: slack_token - name: "Start the app with secrets" shell: "server" environment: DB_HOST: "{{ db_server }}" DB_NAME: app DB_USER: "{{ db_user.secret }}" DB_PASSWORD: "{{ db_pass.secret }}" SLACK_TOKEN: "{{ slack_token.secret }}" admin access dev access
Slide 47
Slide 47 text
Admin runs playbook
Slide 48
Slide 48 text
TODO: videos
Slide 49
Slide 49 text
Dev runs playbook
Slide 50
Slide 50 text
TODO: videos
Slide 51
Slide 51 text
Recap
Slide 52
Slide 52 text
github.com/secrethub/ansible-secrethub SecretHub
Slide 53
Slide 53 text
QA