Python tool to manage Ansible vault-ids
Project description
Introduction:
This tool is a manager to make easier and sharable ansible-vault integration. It’s almost a prerequisite to combine ansible-vault and CI/CD. With it you don’t need anymore to share vault passphrase with other people. You can rotate them transparently for security good practices. You can use “keyring plugins” to extend it and store passphrases on AWS SSM, Bitwarden, or other secured storage system.
Help :
ansible-vault-manager-client --help
Important note :
The name of executable ends with -client for a specific reason ! Since ansible 2.5 ansible vault cares about this suffix, so it’s very important to keep it !
https://github.com/ansible/ansible/blob/v2.8.6/lib/ansible/parsing/vault/__init__.py#L367
Examples :
Create a new vaulted file :
ansible-vault-manager-client create --vault-path <dir where create new file>
It will ask you for filename, keyring plugin, keyring plugin options, and encryption password
Create a new vaulted file with generated password :
pwgen | ansible-vault-manager-client create monfichier \
--vault-path vault_vars/ \
--plugin aws_ssm \
--plugin-param region=eu-west-1 \
--plugin-param profile=customer \
--plugin-param path=/ansible/dev/ \
--stdin-pwd
Automatic integration :
Before run any ansible command (like ansible-playbook) you have to declare your identities list :
# Check usable vault ids and add them to ansible env var
USABLE_IDS=$(ansible-vault-manager-client get-usable-ids --vault-path "provisioning/inventory/vault_vars/")
if [ "$USABLE_IDS" != "" ]; then
export ANSIBLE_VAULT_IDENTITY_LIST="$USABLE_IDS"
fi
BUGS :
Action create not clean new file or remote vault if an error occurs
Installation :
Global install :
pip install ansible-vault-manager
Pipenv install :
pipenv install ansible-vault-manager
TODO :
Implement actions rekey and encrypt
Make extensible via custom deported plugins added via a “plugin path”
Make native plugin Hashi Vault
Make native plugin S3
Make native plugin MultiPass
Make native plugin sshfs
Manage secured cache for credentials fetching
Good practices :
In any playbook, you can add this play to include all vaulted vars, ordered by ansible groups logic You can create a non standard “vault_vars” dir in your inventory dir. All files into, matching to hosts groups, will be included. “with_fileglob” permit to not fail if file not exists.
- hosts:
- all
connection: local
tasks:
- name: Include vaulted vars
include_vars: "{{ item }}"
# prepend path to all groups, "all" group is not present in group_names, we force it
with_fileglob: "{{ (group_names + ['all']) | map('regex_replace', '^(.*)$', inventory_dir + '/vault_vars/\\1') | list }}"
tags:
- always
If you want, you could apply a similar process for “hosts_vars”
- hosts:
- all
connection: local
tasks:
- name: Include vaulted vars
include_vars: "{{ item }}"
with_fileglob: "{{ inventory_dir }}/hosts_vault_vars/{{ inventory_hostname }}"
tags:
- always
In your regulars hosts_vars or group_vars, put ALL your vars ! But if it’s a sensitive var to vault, original var should be equal to a new var.
Example :
group_vars/pp <= This file is not encrypted, and you can search vars into
my_database_password: "{{ vault_my_database_password }}"
vault_vars/pp <= This file is encrypted but you know it should contain vault_my_database_password
vault_my_database_password: xxxxxxxxx
Metadata file informations :
A metadata file is used to retrieve all passwords to decrypt vaulted files. If you loose metadata, you can’t know wich passwords where used to encrypt all vaulted files !!! When you create your first vaulted file a file named _metadata.yml is created at the root of “vault-path” location. This name is important and the file follow a structure.
Detailled structure
# A list of all "vault-id" used to encrypt files in this directory (see. https://docs.ansible.com/ansible/latest/user_guide/vault.html#multiple-vault-passwords)
# In normal cases, you should never edit this section manually.
vault_ids:
# Plugin used to store password
- plugin: aws_ssm
# Config string specific to plugin to fetch password
id: customer-account:eu-west-1:/ansible/admins/b32b92b8-6ba8-4941-ba48-3b2e73998631:1
# Could be a list, but probably always one file. Each file should has its own password for security privileges reasons.
# This parameter is not mandatory, but usefull for debugging, or if you want change a password.
# Without it, you can't know which file is encrypted with this ID.
files:
- prod
- plugin: aws_ssm
id: customer-account:eu-west-1:/ansible/dev/4daf2729-7783-43a3-8e3c-9da1b127d8cf:1
files:
- webservers
- plugin: bitwarden
id: profile:organization:ansible-collection:12f5445a-7783-43a3-8e3c-9da1b127d8cf:1
files:
- subdir/all
# You can MANUALLY add this parameter is some use cases. It permit to include another metadata file (with the same format) and merge all vault_ids.
# It can be usefull if you share vaulted vars between multiples playbooks scopes
# This parameter contain a list of absolute or rlative path to current metadata dir
include:
- ../../../other_context/inventory/vault_vars/_metadata.yml
- /mnt/other_secure_place/my_metadata.yml
Plugins doc :
AWS System Manager (SSM parameter store) :
AWS SSM permit to store simple secured key/value parameters. You can apply security policies based on key path, so you can split admin / devs / other permissions on vault credentials. All parameters are versionned, AWS keep each versions of parameters.
profile: Boto profile used (AWS account)
region: AWS region code where store parameters
path: Path of parameter in SSM, usefull for security policies
Vault ID structure : [account profile]:[AWS region]:[parameter path]:[version]
Local (or remote locally mounted) filesystem :
This plugin provides a simple way to manage versionned password on a local file path. You can use for exemple an sftp / sshfs mount point. Be carefull, basepath must be common for every users of vault !
basepath: Directory where vault passwords are stored
Vault ID structure : [basepath]:[filename]:[version]
The file [basepath]/[filename].[version] contains vault password
Bitwarden :
TODO
Vault ID structure : [organization]:[collection]:[name]:[version]
Multipass Git :
Multipass is a derived version of https://www.passwordstore.org/ for multi-users. A set of scripts is available here : https://github.com/toringe/multi-pass
TODO
Vault ID structure : [passwords namespace]:[parameter path]:[commit_hash]
Multi Hashicorp Vault :
You have to install and configure a vault agent, and use Token Helpers (https://www.vaultproject.io/docs/commands/token-helper.html) to permit access to multiples Hashicorp servers if necessary.
TODO
Vault ID structure : [vault instance]:[parameter path]:[version]
AWS S3 :
TODO
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for ansible-vault-manager-0.2.6.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2397608003f3469afbafe8dbc4838b028deebd73b1ece54d4f11d907c2074217 |
|
| MD5 | 861526b20465861cf96f7e1b0565cefc |
|
| BLAKE2b-256 | 3cb244cda094757de3d2556dc7dba3db588d28e2d6a201a59176edb6e91205e8 |
