ROTATING PASSWORDS WITH ANSIBLE AND HASHIVAULT OUR PRACTICAL OVERVIEW OF SECRET MANAGEMENT BY INTEGRATING HASHICORP'S VAULT WITH ANSIBLE Keith Resar @KeithResar

@KeithResar Keith Resar: Bio Wear many hats @KeithResar [email protected] Coder Open Source Contributor and Advocate Infrastructure Architect

7 PRINCIPLES OF DEVSECOPS ● Humans create poor quality passwords, let’s generate them automatically ● An automated task would allow increased password rotation frequency ● Continuous deployment of password rotations would be ideal ● An automated task can be tested, and will never go beyond its scope ● Storing the password in a shared-secret vault is our break glass ● Integrating with AD would be great, allowing seamless runtime access control ● Passwords should not be stored in Git, deploy scripts, etc

ANSIBLE VAULT VS HASHICORP VAULT

ANSIBLE VAULT ENABLES STORING SENSITIVE DATA SUCH AS PASSWORDS OR KEYS IN ENCRYPTED FILES, RATHER THAN AS PLAINTEXT IN YOUR PLAYBOOKS OR ROLES.

ANSIBLE VAULT ● No External dependencies ● Encrypt entire files or individual secrets ● Version control, commit alongside playbooks

ANSIBLE VAULT USAGE > ansible-vault {create,rekey,edit,encrypt} foo.yml > ansible-playbook foo.yml --ask-vault-pass

MOVING BEYOND ANSIBLE VAULT ● Storing static information vs. Dynamic database ● Separation of automation from secrets ● Supporting password leases

No content

HASHICORP VAULT PRIMER

HASHICORP VAULT VIA ANSIBLE

DEMO APPLICATION KEY ROTATION

DEMO SECRET LOOKUP

WHAT’S NEXT ● Application Support ● Notifications ● Tests ● External verification of secret inventory and change date

RESOURCES ROTATE PASSWORDS WITH ANSIBLE AND HASHIVAULT http://far-oeuf.com/.../...ansible-hashivault ANSIBLE LOOKUP PLUGIN FOR HV SECRETS https://github.com/jhaals/ansible-vault ANSIBLE MINNEAPOLIS MEETUP https://www.meetup.com/Ansible-Minneapolis/

@KeithResar @KeithResar THANKS!