Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Ansible 2 Cloud Automation Cookbook

You're reading from   Ansible 2 Cloud Automation Cookbook Write Ansible playbooks for AWS, Google Cloud, Microsoft Azure, and OpenStack

Arrow left icon
Product type Paperback
Published in Feb 2018
Publisher Packt
ISBN-13 9781788295826
Length 200 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Authors (2):
Arrow left icon
Aditya Patawari Aditya Patawari
Author Profile Icon Aditya Patawari
Aditya Patawari
Vikas Aggarwal Vikas Aggarwal
Author Profile Icon Vikas Aggarwal
Vikas Aggarwal
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Getting Started with Ansible and Cloud Management FREE CHAPTER 2. Using Ansible to Manage AWS EC2 3. Managing Amazon Web Services with Ansible 4. Exploring Google Cloud Platform with Ansible 5. Building Infrastructure with Microsoft Azure and Ansible 6. Working with DigitalOcean and Ansible 7. Running Containers with Docker and Ansible 8. Diving into OpenStack with Ansible 9. Ansible Tower 10. Other Books You May Enjoy

Managing secrets with Ansible Vault

Secret management is an important aspect of any configuration management tool. Ansible comes with a tool called Ansible Vault which encrypts secrets (technically, it can encrypt any arbitrary file but we will focus on secrets) at rest with 256 bit AES encryption. These secrets can be used in tasks in various ways.

To understand this better, let us create a sample secret and use it in a task.

How to do it...

We will begin with a standard variable file, let us call it secret.yml, in Ansible:

---
mysecret: secret-value

To use this in a playbook, we can include the file as a variable and call it in a task:

---
- hosts: localhost
tasks:
- name: include secret
include_vars: secret.yml

- name: get value
debug:
msg: "The value is: {{ mysecret }}"

Let us run our playbook to verify that everything is good:

$ ansible-playbook playbook.yml
PLAY [localhost] ***************************************************************
TASK [setup] *******************************************************************
ok: [localhost]
TASK [include secret] **********************************************************
ok: [localhost]
TASK [get value] ***************************************************************
ok: [localhost] => {
"msg": "The value is: secret-value"
}
PLAY RECAP *********************************************************************
localhost : ok=3 changed=0 unreachable=0 failed=0

Our goal is to protect the content of secret.yml. So let us use ansible-vault and encrypt it:

$ ansible-vault encrypt secret.yml
Vault password:
Encryption successful

Now the content of secret.yml should look something like this:

$ANSIBLE_VAULT;1.1;AES256
64656138356263336432653663323966373961363637383035393631383963643363343162393764
6634663662333863373937373139326230326366643862390a643435663237333832366336323861
31666565333937343333373133353838396166356233316435643363356161366536356230396534
3038316565336630630a393938613764616530336565653866346130666466346130633563346564
33313230336265383532313033653237643662616437636263633039373065346537

Executing the playbook like before will fail because our variable file is encrypted. Ansible provides a way to read encrypted files on the fly without decrypting it on the disk. The flag, --ask-vault-pass, will request the password from and execute the playbook normally when provided with the correct password:

$ ansible-playbook --ask-vault-pass playbook.yml
Vault password:
PLAY [localhost] ***************************************************************
TASK [setup] *******************************************************************
ok: [localhost]
TASK [include secret] **********************************************************
ok: [localhost]
TASK [get value] ***************************************************************
ok: [localhost] => {
"msg": "The value is: secret-value"
}
PLAY RECAP *********************************************************************
localhost : ok=3 changed=0 unreachable=0 failed=0

We will be using Ansible Vault throughout this book to store secrets.

Code Layout

We follow standard code layout to make it easy for everyone to understand the roles. Each chapter has a two playbooks and two roles. One playbook and role has code specific to managing our cloud resources. The other roles has code for deploying the phonebook application. Since there are secrets with each chapter, our final layout would look more or less like this:

└── chapter1

└── roles

├── <cloud provider>

│ ├── files

│ ├── tasks

│ │ └── main.yml

│ ├── templates

│ └── vars

│ ├── main.yml

│ └── secrets.yml

└── phonebook

├── files

│ └── phone-book.service

├── tasks

│ └── main.yml

├── templates

│ └── config.py

└── vars

└── secrets.yml

You have been reading a chapter from
Ansible 2 Cloud Automation Cookbook
Published in: Feb 2018
Publisher: Packt
ISBN-13: 9781788295826
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image