Uploaded byDougBridgens
PDF, PPTX103 views

Secrets with Ansible

This document discusses managing shared secrets with Ansible. It describes using HashiCorp Vault to store secrets like passwords and SSL certificates centrally. It then shows how Ansible can be used to automate deploying secrets from Vault to applications and services, such as randomly generating database passwords stored in Vault and deploying them, and requesting and deploying rotated SSL certificates from Vault on an hourly schedule. The document advocates automating routine security tasks like credential rotation to improve security practices and free up time for developers and operators to work on more interesting problems.

Embed presentation

Download as PDF, PPTX
Managing Shared Secrets, with Ansible Doug Bridgens HeyJobs.de
— The gumption gap — Humans orchestrating shared secrets — HashiCorp Vault — Automated root-password deployment — Rotating application credentials — A brief intro to me What We’ll Talk About — Rotating application SSL certificates — Summary
Unix-OS C Developer Automated UI Testing Automated OS Builds Linux Virtualised Containers Auto-scaling architectures 1.0 Linux released Google launched Mac OS X 10.0 released AWS launched Ansible launched My first “Hello World!” ZX80 released Store-cards exploiting Big Data/ML Motorbiked across Africa Cycled Edinburgh/Istanbul The London Years (banking) Microsoft - Unix ‘Expert’ Git released 3D GPU DevOps Built Global Messaging Platform Automating/DevOps-ing App/DB architecture tuning 1991 1980 1994 1998 2001 2005 2006 2012 Walked across Norway Automating/DevOps-ing Cycled Edinburgh/Sahara Automating/DevOps-ing A little about me…
“At my new job, I am shocked to find plaintext secrets existing in documentation that is accessible from anywhere on our network” Expectation collides with reality
Security Best Practice DevOps Reality the gumption* gap * initiative or courage: you haven’t the gumption to try [C18: originally Scottish] The Gumption Gap
web proxy api1 api2 database Typical Credential Setup credentials/token
web proxy api1 api2 database Single Credential = Poor Rotate Options web proxy api1 api2 database Change DB password first Change client password firstor…
web proxy api1 api2 database Simpler Auto Deploy/Rotation web proxy api1 api2 database Separate client credentials Roll in new creds each timethen…
ansible vault web proxy api1 api2 database Demo Environment
Basics of HashiCorp Vault
Secrets stored in: AWS, PKI, SSH, RabbitMQ, Databases, etc Authentication via: AWS, LDAP, RADIUS, Github, Certs, User/Pass Audit log sent to: file, syslog, sockets Other interesting features: Signed SSH keys Dynamic AWS secrets The Cubbyhole AD auth via Ansible Tower Basics of HashiCorp Vault
# file: 01_build_vault.yml --- - hosts: vault roles: - role: hashivault - role: hashivault-init - role: hashivault-unseal - role: hashivault-pki-backend - { role: hashivault-unseal, do_it: 'again' } Hashi Vault Roles
- name: create a random password string set_fact: rand_pw_string: “{{ lookup('password', '/dev/null length=20 chars=ascii_letters,digits,_!$') }}” - name: write secret to Hashi Vault path uri: url: https://vault.ansiblefest.com:8201/v1/secret/AnsibleFest/database method: POST headers: X-Vault-Token: "{{ vault_keys.root_token }}" body: mysqlrootpw: "{{ rand_pw_string }}" - name: deploy the new mysql password mysql_user: name: root password: "{{ rand_pw_string }}" host: localhost delegate_to: database Automated Password Deploy
# creds_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-credentials } - { role: proxy-target, state_var: present } Rotating Passwords
Demo
- name: request a fresh certificate from Vault uri: url: "https://vault.ansiblefest.com:8201/v1/pki/issue/fest_london" method: POST headers: X-Vault-Token: "{{ vault_keys.root_token }}” body: common_name: "{{ inventory_hostname }}.ansiblefest.com" ttl: “{{ ttl | default(’60') }}” register: cert_data Certificates From Vault
# certs_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-certs, ttl: "1h" } - { role: deploy-credentials } - { role: proxy-target, state_var: present } Rotating Certificates
Demo
# 03_build_demo_env_ssl.yml —- - hosts: data-tier roles: - mysql-server - deploy-certs - mysql-server-ssl - hosts: proxy-tier roles: - nginx - nginx-proxy - hosts: api-tier roles: - httpd - api-code - deploy-certs - deploy-credentials - { role: proxy-target, state_var: present } Overview # certs_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-certs, ttl=“1h” } - deploy-credentials - { role: proxy-target, state_var: present }
Repeatable, codified, security: 20 chars, rotate hourly, etc. Automate the easy stuff first, build gumption. Go spend time on more interesting stuff…. No credentials created/known by people. @thisdougb/AnsibleFest2017@thisdougb Summary
EOF

More Related Content

KEY
A language for the Internet: Why JavaScript and Node.js is right for Internet...
byTom Croucher
 
PDF
Complete MVC on NodeJS
byHüseyin BABAL
 
PPTX
Automating with Ansible
byRicardo Schmidt
 
PPTX
GeekCampSG - Nodejs , Websockets and Realtime Web
byBhagaban Behera
 
PDF
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
byPhilip Stehlik
 
PPTX
A site in 15 minutes with yii
byAndy Kelk
 
PDF
Persistent mobile JavaScript
byYorick Phoenix
 
KEY
20120514 nodejsdublin
byRichard Rodger
 
A language for the Internet: Why JavaScript and Node.js is right for Internet...
byTom Croucher
 
Complete MVC on NodeJS
byHüseyin BABAL
 
Automating with Ansible
byRicardo Schmidt
 
GeekCampSG - Nodejs , Websockets and Realtime Web
byBhagaban Behera
 
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
byPhilip Stehlik
 
A site in 15 minutes with yii
byAndy Kelk
 
Persistent mobile JavaScript
byYorick Phoenix
 
20120514 nodejsdublin
byRichard Rodger
 

What's hot

KEY
node.js: Javascript's in your backend
byDavid Padbury
 
PDF
Create a RESTful API with NodeJS, Express and MongoDB
byHengki Sihombing
 
PPTX
Java script at backend nodejs
byAmit Thakkar
 
PPTX
Create Rest API in Nodejs
byIrfan Maulana
 
ODP
Infrastructure as code with Puppet and Apache CloudStack
byke4qqq
 
ODP
Puppet and CloudStack
byke4qqq
 
PPTX
Node.js Patterns for Discerning Developers
bycacois
 
KEY
Introduction to NodeJS with LOLCats
byDerek Anderson
 
PPT
Play With Theschwartz
byHideo Kimura
 
PDF
Node.js & Twitter Bootstrap Crash Course
byAaron Silverman
 
KEY
Mysqlnd uh
bynatmchugh
 
KEY
nodecalgary1
byEric Kryski
 
PDF
Usecase examples of Packer
byHiroshi SHIBATA
 
PDF
Node js quick tour v2
byWyatt Fang
 
KEY
Node worshop Realtime - Socket.io
byCaesar Chi
 
PPTX
Rapid dev env DevOps Warsaw July 2014
byblndrt
 
PPTX
Tornado my
byConstantine Priemski
 
PDF
Porting Flashblock to Jetpack Platform (draft)
byThomas Bassetto
 
node.js: Javascript's in your backend
byDavid Padbury
 
Create a RESTful API with NodeJS, Express and MongoDB
byHengki Sihombing
 
Java script at backend nodejs
byAmit Thakkar
 
Create Rest API in Nodejs
byIrfan Maulana
 
Infrastructure as code with Puppet and Apache CloudStack
byke4qqq
 
Puppet and CloudStack
byke4qqq
 
Node.js Patterns for Discerning Developers
bycacois
 
Introduction to NodeJS with LOLCats
byDerek Anderson
 
Play With Theschwartz
byHideo Kimura
 
Node.js & Twitter Bootstrap Crash Course
byAaron Silverman
 
Mysqlnd uh
bynatmchugh
 
nodecalgary1
byEric Kryski
 
Usecase examples of Packer
byHiroshi SHIBATA
 
Node js quick tour v2
byWyatt Fang
 
Node worshop Realtime - Socket.io
byCaesar Chi
 
Rapid dev env DevOps Warsaw July 2014
byblndrt
 
Tornado my
byConstantine Priemski
 
Porting Flashblock to Jetpack Platform (draft)
byThomas Bassetto
 

Similar to Secrets with Ansible

PDF
Secure second days operations with Boundary and Vault.pdf
byBram Vogelaar
 
PDF
Issuing temporary credentials for my sql using hashicorp vault
byOlinData
 
PDF
Keybase Vault Auto-Unseal HashiTalks2020
byBas Meijer
 
PDF
Vault and Security as a Service
byPatrick Shields
 
PPTX
ansible : Infrastructure automation,idempotent and more
bySabarinath Gnanasekar
 
PDF
Vault
bydawnlua
 
PPTX
Using ansible vault to protect your secrets
byExcella
 
PDF
Managing sensitive data with Ansible vault
byPascal Stauffer
 
PDF
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdf
byLinuxCert Guru
 
PDF
Using Vault to decouple MySQL Secrets
byDerek Downey
 
PDF
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdf
byLinuxCert Guru
 
PDF
Adopting HashiCorp Vault
byNicolas Corrarello
 
PDF
Rotating Passwords With Ansible and HashiVault
byKeith Resar
 
PDF
Secrets management vault cncf meetup
byJuraj Hantak
 
PPTX
London Hug 20/6 - Vault production
byLondon HashiCorp User Group
 
PDF
Can you keep a secret? (XP Days 2017)
byValerii Moisieienko
 
PDF
XP Days 2019: First secret delivery for modern cloud-native applications
byVlad Fedosov
 
PDF
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
PPT
Secret Mgmt using vault DevSecOps sg Meetup
byFab L
 
PPTX
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
byhamzaaqqa7
 
Secure second days operations with Boundary and Vault.pdf
byBram Vogelaar
 
Issuing temporary credentials for my sql using hashicorp vault
byOlinData
 
Keybase Vault Auto-Unseal HashiTalks2020
byBas Meijer
 
Vault and Security as a Service
byPatrick Shields
 
ansible : Infrastructure automation,idempotent and more
bySabarinath Gnanasekar
 
Vault
bydawnlua
 
Using ansible vault to protect your secrets
byExcella
 
Managing sensitive data with Ansible vault
byPascal Stauffer
 
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdf
byLinuxCert Guru
 
Using Vault to decouple MySQL Secrets
byDerek Downey
 
Ansible Vault Encrypting and Protecting Secrets - RHCE.pdf
byLinuxCert Guru
 
Adopting HashiCorp Vault
byNicolas Corrarello
 
Rotating Passwords With Ansible and HashiVault
byKeith Resar
 
Secrets management vault cncf meetup
byJuraj Hantak
 
London Hug 20/6 - Vault production
byLondon HashiCorp User Group
 
Can you keep a secret? (XP Days 2017)
byValerii Moisieienko
 
XP Days 2019: First secret delivery for modern cloud-native applications
byVlad Fedosov
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
Secret Mgmt using vault DevSecOps sg Meetup
byFab L
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
byhamzaaqqa7
 

Recently uploaded

PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 

Secrets with Ansible

  • 1.
  • 2.
    — The gumptiongap — Humans orchestrating shared secrets — HashiCorp Vault — Automated root-password deployment — Rotating application credentials — A brief intro to me What We’ll Talk About — Rotating application SSL certificates — Summary
  • 3.
    Unix-OS C Developer AutomatedUI Testing Automated OS Builds Linux Virtualised Containers Auto-scaling architectures 1.0 Linux released Google launched Mac OS X 10.0 released AWS launched Ansible launched My first “Hello World!” ZX80 released Store-cards exploiting Big Data/ML Motorbiked across Africa Cycled Edinburgh/Istanbul The London Years (banking) Microsoft - Unix ‘Expert’ Git released 3D GPU DevOps Built Global Messaging Platform Automating/DevOps-ing App/DB architecture tuning 1991 1980 1994 1998 2001 2005 2006 2012 Walked across Norway Automating/DevOps-ing Cycled Edinburgh/Sahara Automating/DevOps-ing A little about me…
  • 4.
    “At my newjob, I am shocked to find plaintext secrets existing in documentation that is accessible from anywhere on our network” Expectation collides with reality
  • 5.
    Security Best Practice DevOpsReality the gumption* gap * initiative or courage: you haven’t the gumption to try [C18: originally Scottish] The Gumption Gap
  • 6.
    web proxy api1 api2 database TypicalCredential Setup credentials/token
  • 7.
    web proxy api1 api2 database SingleCredential = Poor Rotate Options web proxy api1 api2 database Change DB password first Change client password firstor…
  • 8.
    web proxy api1 api2 database SimplerAuto Deploy/Rotation web proxy api1 api2 database Separate client credentials Roll in new creds each timethen…
  • 9.
  • 10.
  • 11.
    Secrets stored in:AWS, PKI, SSH, RabbitMQ, Databases, etc Authentication via: AWS, LDAP, RADIUS, Github, Certs, User/Pass Audit log sent to: file, syslog, sockets Other interesting features: Signed SSH keys Dynamic AWS secrets The Cubbyhole AD auth via Ansible Tower Basics of HashiCorp Vault
  • 12.
    # file: 01_build_vault.yml --- -hosts: vault roles: - role: hashivault - role: hashivault-init - role: hashivault-unseal - role: hashivault-pki-backend - { role: hashivault-unseal, do_it: 'again' } Hashi Vault Roles
  • 13.
    - name: createa random password string set_fact: rand_pw_string: “{{ lookup('password', '/dev/null length=20 chars=ascii_letters,digits,_!$') }}” - name: write secret to Hashi Vault path uri: url: https://vault.ansiblefest.com:8201/v1/secret/AnsibleFest/database method: POST headers: X-Vault-Token: "{{ vault_keys.root_token }}" body: mysqlrootpw: "{{ rand_pw_string }}" - name: deploy the new mysql password mysql_user: name: root password: "{{ rand_pw_string }}" host: localhost delegate_to: database Automated Password Deploy
  • 14.
    # creds_rotate.yml --- - hosts:api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-credentials } - { role: proxy-target, state_var: present } Rotating Passwords
  • 15.
  • 16.
    - name: requesta fresh certificate from Vault uri: url: "https://vault.ansiblefest.com:8201/v1/pki/issue/fest_london" method: POST headers: X-Vault-Token: "{{ vault_keys.root_token }}” body: common_name: "{{ inventory_hostname }}.ansiblefest.com" ttl: “{{ ttl | default(’60') }}” register: cert_data Certificates From Vault
  • 17.
    # certs_rotate.yml --- - hosts:api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-certs, ttl: "1h" } - { role: deploy-credentials } - { role: proxy-target, state_var: present } Rotating Certificates
  • 18.
  • 19.
    # 03_build_demo_env_ssl.yml —- - hosts:data-tier roles: - mysql-server - deploy-certs - mysql-server-ssl - hosts: proxy-tier roles: - nginx - nginx-proxy - hosts: api-tier roles: - httpd - api-code - deploy-certs - deploy-credentials - { role: proxy-target, state_var: present } Overview # certs_rotate.yml --- - hosts: api-tier serial: 1 roles: - { role: proxy-target, state_var: absent } - { role: deploy-certs, ttl=“1h” } - deploy-credentials - { role: proxy-target, state_var: present }
  • 20.
    Repeatable, codified, security:20 chars, rotate hourly, etc. Automate the easy stuff first, build gumption. Go spend time on more interesting stuff…. No credentials created/known by people. @thisdougb/AnsibleFest2017@thisdougb Summary
  • 21.