Working with sensitive data-2: Using AWS Parameter Store and Ansible Vault together

Cumhur Akkaya
11 min readFeb 19, 2023

In this article, we’ll talk about how to use Ansible-vault and AWS SSM Parameter Store together.

I’ll demonstrate how to use Ansible Vault and AWS SSM Parameter Store together step by step hands-on, by explaining some of the best practices for keeping the data safe.

Read on and keep prying eyes away from your secrets!

Topics we will cover:

1. What is AWS SSM Parameter Store?

2. Using AWS Parameter Store and Ansible Vault together

3. Creating the script for Ansible and AWS SSM Parameter Store

4. Creating a parameter in Parameter Store

5. Creating a Policy for the Parameter Store

6. Attaching the policy to the role

7. Finally, run ansible-playbook and get automatically the password from AWS SSM Parameter Store, and create new users on all nodes.

8. As a result

9. Next post

10. References

If you like the article, I will be happy if you click on the Medium Following button to encourage me to write more, and not miss future articles.

Your clap, follow, or subscribe, they help my articles to reach the broader audience. Thank you in advance for them.

1. What is AWS SSM Parameter Store?

Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data.

You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter. (1)

A Parameter Store’s parameter is any piece of data that is saved in the Parameter Store, such as a block of text, a list of names, a password, an AMI ID, a license key, and so on. So, we can centrally and securely reference this data in our scripts, commands, and SSM documents.

2. Using AWS Parameter Store and Ansible Vault together

Note-1: This article is a continuation of the first article. Firstly, I recommend you to read the first article as well. Also, you can watch my video related to this subject on my youtube account.

Note-2: In order to use the commands mentioned in the article, ansible must be installed on a machine. You can watch my video, “How to install it series: Ansible with Terraform File” on my youtube account and you can find the necessary the terraform files of the ansible installation, in my GitHub repository.

Figure-1

We talked about how to secure your sensitive content or confidential information, such as your passwords, API tokens, SSH public or private keys, SSL certificates, and password variables, with Ansible Vault in the first part of this article.

We created an encrypted file, using the ansible-vault create command, And we were asked to create a password for this file in the first part of this article.

There are a username and a password in the encrypted file. When we want to use the username and password values in an ansible playbook, it asks password of the file that we gave it while creating this file.

Now, when the ansible-playbook run, we will have the ansible-playbook get this password from AWS SSM Parameter Store, as in figure-1.

So, we’ll securely, and automatically enter the password when it is requested, using the AWS SSM Parameter Store. We won’t enter anything in the command terminal when we run the ansible-playbook command below as in figure-2:

Figure-2

3. Create the script for Ansible and AWS SSM Parameter Store

a. We will create the script for Ansible to communicate with the AWS SSM Parameter Store. Enter the following command to create the script file as in figure-3.

Figure-3

b. Enter the following commands in the newly opened vim window and save the script as in figure-4. (2)(3)

aws --region=us-east-1   #choose your region.
ssm get-parameters --names "vault_password" --query "Parameters[*].{Value:Value}" #It is constant value that AWS gave.
--output text #use of incoming password from AWS SSM Parameter Store. It is constant value too.
Figure-4

c. Prompt: chmod +x ddostest.sh (The chmod +x can be used to add execution privilege to the current owner user of the specified file. So, the script became executable.) as in figure-5.

Figure-5

d. We should get the following results as in figure-6:

Figure-6

4. Creating a parameter in Parameter Store

In order to use Ansible-vault and AWS SSM Parameter Store together, we’ll create a parameter in the Parameter Store console. Follow the steps below:

Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/ and choose Create Paremeter as in figure-7. (4)

Note: Parameters are only available in the AWS Region where they were created. You must be in the same region as in the figure-4.

Figure-7

In the Name box, enter a name. In the Description box, type a description that identifies this parameter. For Parameter tier choose Standard. For Type, choose Stringas in the figure-8.

Figure-8

If you choose String, the Data type field is displayed. Choose textas in the figure-9. (If you’re creating a parameter to hold the resource ID for an Amazon Machine Image (AMI), select aws:ec2:image. Otherwise, keep the default text selected.)

We created an encrypted file, using the ansible-vault create command, we were asked to create a password for this file. Now, enter this password in the Valuebox, as in the figure-9. And click on Create Paremeter.

Note 1-If you choose SecureString, the KMS Key ID field is displayed. If you will use an AWS Key Management Service, you can choose this option. For more information, see How AWS Systems ManagerParameter Store Uses AWS KMS.

Note 2- (Optional) In the Tags area, if you apply one or more tag key-value pairs to the parameter. Tags are optional metadata that you assign to a resource. Tags allow you to categorize a resource in different ways, such as by purpose, owner, or environment. We didn't choose add tag.

Figure-9

In the parameters list, we should get the following results, as in figure-10.

Figure-10

5. Creating a Policy for the Parameter Store

Policies let you specify who has access to AWS resources, and what actions they can perform on those resources.

We will do the following steps in order so that the control node (ec2 instance) could reach and use Parameter Store (the resource);

We will create a policy for the Parameter Store. Then we’ll attach this policy to the role, And after that, we’ll attach this role to my control node instance.

Follow the steps below:

a. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. In the navigation pane on the left, choose Policies. Then, choose Create policy, as in figure-11. (5)

Figure-11.

b. Choose the JSON tab. Then Type or paste a JSON policy document, as in the figure-12. When you are finished, choose Next: Tags.

Not: You can find the policy and other necessary commands and documents in my GitHub repository.

Figure-12.

c. On the Review policy page, type a Name and a Description (optional) for the policy that you are creating. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create a policy to save your work, as in figure-13.

Figure-13.

d. We should get the following results, as in figure-14.

Figure-14.

6. Attaching the policy to the role

We’ll attach the policy that we created to the role that we will attach to ec2 instance.

Follow the steps below:

a. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. In the navigation pane of the IAM console, choose Roles, and then choose Create role, as in figure-15. (6)

Figure-15.

b. Choose the AWS service role type: AWS service, and choose the use case for your service: ec2, as in the figure-16. Then choose Next,

Figure-16.

c. Type our policy name’s some words into the box of “filter policies”. Select the policy below that we created in the 5th item, as in figure -17. Then choose Next,

Figure-17.

d. For Role name, type a name. For Description(Optional), enter a description for the new role, as in figure-18. Finally, choose Create role.

Note: Role name, this option is not editable, and role names are case insensitive.

Figure-18.

e. We should get the following results, as in figure-19.

Figure-19.

f. Sign in to the AWS Management Console and open the ec2 console at https://console.aws.amazon.com/ec2/. In the navigation pane of the ec2 console, choose the instance, then choose control node (instance).

After this, choose Actions> Security > Modify IAM role, as in figure-20.

Figure-20.

g. Type our role name’s some words into the box of “filter roles”. Select the role below that we created in the 6th item, as in figure -21. Then choose Update IAM role.

Figure-21.

h. We should get the following results, as in the figure-22.

Figure-22.

7. Finally, run ansible playbook and get automatically the password from AWS SSM Parameter Store, and create new users on all nodes.

Now, when the ansible playbook run, it will get the necessary password from AWS SSM Parameter Store and enter it automatically.

Follow the steps below:

a. Edit the encrypted file, in order to add a new user name when we run the ansible playbook. For this, use the command below, as in figure-23.

Figure-23.

b. In order to enter data, press i to go into Insert mode. Then, change the Username whatever you want, in the newly opened vim, as in the figure-24. Then save and exit (esc :wq).

Figure-24.

c. Prompt the ansible-playbook command below, in order to create a new user from the vault password script, as in figure-25.(7)

Figure-25.

d. ansible-playbook command ran, as in the figure-26.

Figure-26.

e. Users of “akkaya” are created automatically by playbook in all of our hosts, without entering manually the password of vault-password.sh file, as in figure-27.

Figure-27.

f. Also, if you want to see the passwords of users enter this command, as in figure-28. Any more, the passwords did not appear here(etc/shadow in Linux system), because the password value was hashed using the SHA 512 with hash command in playbooks. For more information, see Working with sensitive data: Ansible Vault and using it with AWS Parameter Store.

Figure-28.

8. As a result

So, we’ll securely and automatically enter the password when it is requested, using the AWS SSM Parameter Store. We won’t enter anything in the command terminal when we run the ansible-playbook command. It automatically created users in all of our hosts(nodes), without entering manually the vault password or users’ name and password.

We secure and protect sensitive data as the password in my example hands-on. Also, you can use Parameter Store with AWS Key Management Service if you want.

In addition, the installation process of creating new users continued uninterrupted. It is an important contribution to automation systems.

Note: You can find the policies, necessary commands, documents, and the terraform files of the ansible installation, in my GitHub repository.

If you liked the article, I would be happy if you click on the Medium Following button to encourage me to write and not miss future articles.

Your clap, follow or subscribe, they help my articles to reach the broader audience. Thank you in advance for them.

For more info and questions, please contact me on Linkedin or Medium.

9. Next post

Working with Sensitive Data-3: Using Kubernetes Secret Object.

In the next article, we’ll talk about how to create and use Kubernetes Secret Object, and to use it in the pod’s yaml file. I’ll demonstrate it step by step hands-on, by explaining some of the best practices for keeping the data safe.

Working with Sensitive Data-4: Using HashiCorp Vault in Kubernetes.

In the later article, we’ll talk about HashiCorp Vault, how to deploy into Kubernetes using the Vault Helm chart, how to enable the authentication method, how to create the Vault policy, how to set up the Secrets Store CSI driver in Kubernetes, how to set up your application namespaces with a ServiceAccount and SecretProviderClass. Finally, we will run the pods and secure our Kubernetes application secrets with HashiCorp Vault. I’ll demonstrate it step by step hands-on, by explaining some of the best practices for keeping the data safe.

Happy Clouding…

I hope you enjoyed reading this article. Don’t forget to follow my LinkedIn or Medium account to be informed about new articles.

Also, you can watch my video, “How to Install Ansible with Terraform File” on my youtube account.

--

--

Cumhur Akkaya

✦ DevOps/Cloud Engineer, ✦ Believes in learning by doing, ✦ Dedication To Lifelong Learning, ✦ Tea and Coffee Drinker. ✦ Linkedin: linkedin.com/in/cumhurakkaya