DEV Community

Tosin Akinosho
Tosin Akinosho

Posted on • Edited on

Ansible Vault Secrets Documentation

This post outlines the necessary secrets required for Ansible playbooks. It includes details on how to use the ansiblesafe tool to manage these secrets securely.

Red Hat Subscription Manager (RHSM) Variables

These variables are used to register the Ansible Automation Platform instance with Red Hat Subscription Manager and attach the necessary subscriptions.

  • rhsm_username: The username for your Red Hat account. (More info)
  • rhsm_password: The password for your Red Hat account. (More info)
  • rhsm_org: The ID of the organization to register the system to. (More info)
  • rhsm_activationkey: The activation key used to register the system. (More info)

Admin User Variables

  • admin_user_password: The password for the admin user in Virtual Machines using kcli-pipelines. (More info)

Offline Token Variables

  • offline_token: The offline token used for Red Hat Subscription Manager. (More info)
  • automation_hub_offline_token: The offline token used for Automation Hub. (More info)

OpenShift Pull Secret

  • openshift_pull_secret: The pull secret used to deploy OpenShift Clusters. (More info)

FreeIPA Server Admin Password

  • freeipa_server_admin_password: The password for the FreeIPA server admin user using the freeipa-workshop-deployer. (More info)

Managing Secrets with Ansiblesafe

ansiblesafe is a Go script that facilitates the encryption and decryption of YAML files using the Ansible Vault CLI. It supports various operations such as encrypting, decrypting, and syncing secrets with HashiCorp Vault.

Installation

dnf install ansible-core -y 
curl -OL https://github.com/tosin2013/ansiblesafe/releases/download/v0.0.8/ansiblesafe-v0.0.8-linux-amd64.tar.gz
tar -zxvf ansiblesafe-v0.0.8-linux-amd64.tar.gz
chmod +x ansiblesafe-linux-amd64 
sudo mv ansiblesafe-linux-amd64 /usr/local/bin/ansiblesafe
Enter fullscreen mode Exit fullscreen mode

Usage

If you do not pass any flags everything wil be auto generated for you

$ ansiblesafe -h
Usage of /tmp/go-build1657505477/b001/exe/ansiblesafe:
  -f, --file string     Path to YAML file (default: $HOME/vault.yml)
  -o, --operation int   Operation to perform (1: encrypt, 2: decrypt, 3: Write secrets to HashiCorp Vault, 4: Read secrets from HashiCorp Vault, 5: skip encrypting/decrypting)
Enter fullscreen mode Exit fullscreen mode

To use ansiblesafe, navigate to the cloned directory and perform the following commands based on your needs:

  • Encrypt a YAML file:
  ./ansiblesafe -f path_to_your_file -o 1
Enter fullscreen mode Exit fullscreen mode
  • Decrypt a YAML file:
  ./ansiblesafe -f path_to_your_file -o 2
Enter fullscreen mode Exit fullscreen mode

Hasicorp Examples

Write secrets to HashiCorp Vault

$ export VAULT_ADDRESS=http://127.0.0.1:8200/
$ export VAULT_TOKEN=token
$ export SECRET_PATH=ansiblesafe/example
$ ansiblesafe -o 3
Enter fullscreen mode Exit fullscreen mode

Read secrets from HashiCorp Vault and safe to vault.yaml

$ export VAULT_ADDRESS=http://127.0.0.1:8200/
$ export VAULT_TOKEN=token
$ export SECRET_PATH=ansiblesafe/example
$ ansiblesafe -o 4
$ ansiblesafe -o 1 # Optional encrypt the file
Enter fullscreen mode Exit fullscreen mode

Security Considerations

Instructions to use ansiblesale without a password prompt

$ touch ~/.vault_password
$ chmod 600 ~/.vault_password
# The leading space here is necessary to keep the command out of the command history
$  echo password >> ~/.vault_password
# Link the password file into the current working directory
$ ln ~/.vault_password .
# Set the environment variable to the location of the file
$ export ANSIBLE_VAULT_PASSWORD_FILE=.vault_password
Enter fullscreen mode Exit fullscreen mode

Remember to keep your vault password and tokens secure and limit access to authorized users only.

More Information

For more details on ansiblesafe and its capabilities, visit the GitHub repository.

Top comments (0)