Working with sensitive data-1 : Ansible Vault and using it with AWS Parameter Store

Cumhur Akkaya
9 min readFeb 9, 2023

--

In the first part of this article, we’ll talk about how to secure your sensitive content or confidential information, such as your passwords, API tokens, SSH public or private keys, SSL certificates, and password variables, with Ansible Vault.

In the second part of this article, we’ll talk about how to securely save and retrieve a file's password created by ansible-vault, using the AWS SSM Parameter Store.

I’ll demonstrate how to use Ansible Vault and AWS SSM Parameter Store step by step on hands-on, by explaining some of the best practices for keeping the data safe.

Read on and keep prying eyes away from your secrets!

Topics we will cover:

1. What is Ansible Vault?

2. Using Ansible Vault

3. Creating a user with ansible playbooks using ansible vault

3.a. Creating ansible playbooks

3.b. Run this playbook with ansible-vault file to create users

4. Hashing password variable as SHA 512

4.a. Editing encrypted files (secret.yml file)

4.b. Hashing passwords using the SHA 512

4.c. Run this playbook with ansible-vault file to create new users

5. As a result

6. Next post

7. References

If you like the article, I will be happy if you click on the Medium Following button to encourage me to write more, and not miss future articles.

Your clap, follow, or subscribe, they help my articles to reach the broader audience. Thank you in advance for them.

1. What is Ansible Vault?

Keeping your secrets from falling into the wrong hands is a top priority. But how exactly do you secure your secrets? Save it on a local text file? Without encryption, that option is too risky. One of the best and easy solutions for this problem is to encrypt your variables and files with Ansible Vault.

One of the most important features that come with Ansible is the Ansible Vault. As you would guess it by now, Ansible Vault is a security feature that is used for encrypting or securing sensitive information in playbooks or files. Ansible vault provides a way to encrypt and manage sensitive data such as data includes passwords, API tokens, SSH public or private keys, SSL certificates, password variables, etc.

Ansible Vault encrypts variables and files so you can protect sensitive content such as passwords or keys rather than leaving it visible as plaintext in playbooks or roles. (1) So, now we can safely commit these values to GitHub or other repositories.

If you store your vault passwords in a third-party tool such as a secret manager, you need a script to access them. In the second part of this article, we’ll talk about it and demonstrate how to use Ansible Vault with AWS SSM Parameter Store on hands-on.

2. Using Ansible Vault

Note-1: You can watch my video related to this article on my youtube account.

Note-2: In order to use the commands mentioned in the article, ansible must be installed on your machine. You can watch my video, “How to install it series: Ansible with Terraform File” on my youtube account and you can find the necessary terraform files of the ansible installation, in my GitHub repository.

Figure-1-a: The Ansible Vault Architecture (2)
Figure-1-b: Flow chart of the hands-on in the article.

Creating Encrypted File

The Ansible Vault Architecture is in figure-1-a. In figure-1-b, there is a flow chart of the hands-on that we will apply in the article. Now, we’ll create an encrypted file with ansible-vault. In my example, it is named secret.yaml as seen in figure-1-b, and we’ll use the ansible-vault create command as in figure-2.

Figure-2

You’ll be wanted to create a password and then confirm it by re-typing it as in figure-3. It became our secret.yaml file vault password anymore.

Figure-3

Once your password is confirmed, a new file will be created and will open an editing window. By default, the editor for Ansible Vault is Vim as in figure-4. To enter data, press i to go into Insert mode. (Yes, that is the letter i.) For using Vim for detailed information, see this link.

Figure-4

You can add data, we added variables, “username and password” to use after that.

Save and exit with esc then “:wq” as in figure-5.

Figure-5

İf we use the “ls” command, we’ll see secret.yaml file as in figure-6.

Figure-6

And our file is encrypted as in figure-7.

Figure-7

3. Creating a user with ansible playbooks using ansible vault

3.a. Creating ansible playbooks

We created secret.yml. How we can use it in an ansible playbook yaml file.

Now, we are gonna create users with ansible playbooks, using secret.yml file that was created by Ansible Vault. Ansible playbooks will get the user’s name and password from the secret.yml file.

Let’s create an ansible playbook named create-user.yml as in figure-8.

Figure-8

Enter the following commands in the newly opened vim window as in figure-9. (6)

hosts: all” so, we want to create users for all of our hosts.

become: true” it’s the root privilege.

the var_files: secret.yml” we want to use the variable files, and for the variable files, we want to use secret.yaml file.

user: We use a “user module” to create users.

and in here it’s gonna get the user’s name and password from “username and password” in the secret.yaml file.

let’s finish and save it, with the command “esc :wq” as in figure-9.

Figure-9

İf we use the “ls” command, we’ll see create-user.yml ansible playbooks file as in figure-10.

Figure-10

3.b. Run this playbook with ansible-vault file to create users

If you wish to run create-user.yml file, you could use –ask-vault-pass flag as in figure-11.

Figure-11

The playbook ran as in figure-12. It asks us for our vault password, in here, we will enter secret.yml file’s password.

Figure-12

And it will continue to start creating those users as in figure-13.

Figure-13

Users are created by playbook in all of our hosts as in figure-14. It automatically got the user’s name and password from “username and password” in the secret.yaml file. If you want to see users were created, you can use this command:

ansible all -b -m command -a "grep cumhur /etc/passwd"
Figure-14

But there’s a warning it says the input password appears not to have been hashed in figure-13. If people know where to find those passwords, so they can go and then look at it and can see those passwords as in figure-15. Using this command:

ansible all -b -m command -a "grep cumhur /etc/shadow"
Figure-15

4. Hashing password variable as SHA 512

it’s not very secure that someone can see a person’s password. We don’t want this to happen. So what we can do is that changing create-user. yml file. And we are gonna put it, a different password command line, after that we are able to hash those passwords using the SHA 512 with hash command in playbooks. For hashing types and detailed information, see this link.

4.a. Editing encrypted files (secret.yml file)

If you want to edit an encrypted file, you can edit it using ansible-vault edit command as in figure-16.

$ ansible-vault edit secrets.yml
Figure-16

We’ll change variables to “username:mesut”, and be able to create different users as in figure-17.

Figure-17

4.b. Hashing passwords using the SHA 512

We’ll open to edit the create-user.yml file with Vim as in figure-18.

Figure-18

We are gonna put it, in a different password line, after that we can hash those passwords using the SHA 512 with the password line. Then save and exit with esc then “:wq” as in figure-19.

Figure-19

4.c. Run this playbook with ansible-vault file to create new users

If you wish to run create-user.yml file, you could use –ask-vault-pass flag as in figure-20.

Figure-20

The playbook ran as in figure-21. It ask us for our vault password, in here, we will enter secret.yml file’s password,

Figure-21

And it will continue to start creating those users as in figure-22.

And there isn’t a warning it says “the input password appears not to have been hashed” in figure-22.

Figure-22

Users are created by playbook in all of our hosts as in figure-23.

Figure-23

Finally, to see passwords enter this command:

ansible all -b -m command -a "grep cumhur /etc/shadow"
Figure-24

Unlike figure-15, the passwords did not appear here in figure-24. Because the password value was hashed using the SHA 512 with hash command in playbooks.

5. As a result;

We can encrypt variables with an Ansible Vault. We can not only encrypt sensitive data but also integrate them into our playbooks. Then, the password value is hashed using the SHA 512. The users' passwords did not appear in /etc/shadow anymore. We secured our sensitive content or confidential information with Ansible Vault.

The solution with Ansible Vault is easy when we compare it with HashiCorp Vault and GPG Suite. It does not require any additional setup. It can run on any Ansible ready computer. You can also store the Ansible Vault files in repositories in your inventories. Also, Ansible Vault the most important is embedded in Ansible (7).

If you liked the article, I would be happy if you click on the Medium Following button to encourage me to write and not miss future articles.

Your clap, follow or subscribe, they help my articles to reach the broader audience. Thank you in advance for them.

For more info and questions, please contact me on Linkedin or Medium.

6. Next post

In the second part of this article, we’ll talk about how to save and retrieve a password of a file created by ansible-vault, using the AWS SSM Parameter Store step by step.

Happy Clouding…

Don’t forget to follow my LinkedIn or Medium account to be informed about new articles.

Not: You can find the policies, necessary commands, documents, and the terraform files of the ansible installation, in my GitHub repository. Also, you can watch my video about this subject on my youtube account.

--

--

Cumhur Akkaya

✦ DevOps/Cloud Engineer, ✦ Believes in learning by doing, ✦ Dedication To Lifelong Learning, ✦ Tea and Coffee Drinker. ✦ Linkedin: linkedin.com/in/cumhurakkaya