Swiftorial Logo
Home
Swift Lessons
Matchups
CodeSnaps
Tutorials
Career
Resources

Managing Credentials in Ansible

Introduction

In the realm of IT automation, managing credentials securely is crucial. Ansible, as a powerful automation tool, provides several ways to handle sensitive information like passwords, API tokens, and SSH keys. This tutorial will guide you through various methods of managing credentials in Ansible, ensuring your automation processes are both efficient and secure.

Using Ansible Vault

Ansible Vault allows you to keep sensitive data such as passwords or keys in encrypted files, rather than as plaintext in playbooks or roles. Let's start by creating an encrypted file:

ansible-vault create secret.yml

You will be prompted to enter a password. This password will be required to view or edit the contents of secret.yml. Here's an example of what the secret.yml file might contain:

                ---
                database_password: "mysecretpassword"

To edit this file later, use:

ansible-vault edit secret.yml

To include the encrypted variables in your playbook, you can load them as follows:

                ---
                - hosts: localhost
                  vars_files:
                    - secret.yml
                  tasks:
                    - name: Print the database password
                      debug:
                        msg: "{{ database_password }}"

Encrypting Existing Files

If you already have a file and want to encrypt it, you can use:

ansible-vault encrypt existing_file.yml

To decrypt it, use:

ansible-vault decrypt existing_file.yml

Using Environment Variables

Another way to manage credentials is by using environment variables. This can be particularly useful for CI/CD pipelines. For example, you can set an environment variable for a database password and use it in your playbook:

export DB_PASSWORD='mysecretpassword'

Then, you can access this variable in your playbook:

                ---
                - hosts: localhost
                  tasks:
                    - name: Print the database password from environment variable
                      debug:
                        msg: "{{ lookup('env', 'DB_PASSWORD') }}"

Using Ansible Tower / AWX

Ansible Tower (or its open-source counterpart AWX) provides a robust way to manage credentials. You can store credentials securely and use them in your playbooks without exposing them. Here's a high-level overview:

  • Navigate to the Credentials section in the Ansible Tower UI.
  • Create a new credential, entering details like name, type (e.g., Machine, AWS, etc.), and the actual credentials (e.g., SSH key, username, and password).
  • When launching a job, select the appropriate credential to be used during execution.

Using HashiCorp Vault

HashiCorp Vault is another popular tool for managing sensitive information. Ansible has modules that integrate with Vault, allowing you to fetch secrets dynamically:

                ---
                - hosts: localhost
                  tasks:
                    - name: Get secret from HashiCorp Vault
                      hashivault_read:
                        secret: 'secret/data/myapp'
                        key: 'password'
                      register: vault_secret

                    - name: Print the secret
                      debug:
                        msg: "{{ vault_secret.data.password }}"

Ensure you have the hvac Python library installed to use the hashivault modules.

Conclusion

Managing credentials securely is essential for any automated workflow. Ansible offers multiple ways to handle sensitive information, from encrypted files with Ansible Vault to environment variables and integrations with other tools like Ansible Tower and HashiCorp Vault. By using these methods, you can ensure that your credentials are managed securely and efficiently.