SlideShare a Scribd company logo

Rotating Passwords With Ansible and HashiVault

•
K
Keith Resar

This document discusses integrating Hashicorp Vault with Ansible for automated secret and password management. It recommends generating passwords automatically rather than using human-created passwords. It also recommends storing secrets in Vault rather than in version control systems like Git to allow for increased rotation frequency and integration with systems like Active Directory. The document demonstrates configuring Vault as a secrets backend for Ansible and shows examples of rotating application keys and looking up secrets.

Technology
Related topics:
Red Hat Technologies
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ROTATING PASSWORDS WITH ANSIBLE AND HASHIVAULT OUR PRACTICAL OVERVIEW OF SECRET MANAGEMENT BY INTEGRATING HASHICORP'S VAULT WITH ANSIBLE Keith Resar @KeithResar
@KeithResar Keith Resar: Bio Wear many hats @KeithResar Keith.Resar@RedHat.com Coder Open Source Contributor and Advocate Infrastructure Architect
7 PRINCIPLES OF DEVSECOPS ● Humans create poor quality passwords, let’s generate them automatically ● An automated task would allow increased password rotation frequency ● Continuous deployment of password rotations would be ideal ● An automated task can be tested, and will never go beyond its scope ● Storing the password in a shared-secret vault is our break glass ● Integrating with AD would be great, allowing seamless runtime access control ● Passwords should not be stored in Git, deploy scripts, etc
ANSIBLE VAULT VS HASHICORP VAULT
ANSIBLE VAULT ENABLES STORING SENSITIVE DATA SUCH AS PASSWORDS OR KEYS IN ENCRYPTED FILES, RATHER THAN AS PLAINTEXT IN YOUR PLAYBOOKS OR ROLES.
ANSIBLE VAULT ● No External dependencies ● Encrypt entire files or individual secrets ● Version control, commit alongside playbooks
ANSIBLE VAULT USAGE > ansible-vault {create,rekey,edit,encrypt} foo.yml > ansible-playbook foo.yml --ask-vault-pass
MOVING BEYOND ANSIBLE VAULT ● Storing static information vs. Dynamic database ● Separation of automation from secrets ● Supporting password leases
Rotating Passwords With Ansible and HashiVault
HASHICORP VAULT PRIMER
HASHICORP VAULT VIA ANSIBLE
DEMO APPLICATION KEY ROTATION
DEMO SECRET LOOKUP
WHAT’S NEXT ● Application Support ● Notifications ● Tests ● External verification of secret inventory and change date
RESOURCES ROTATE PASSWORDS WITH ANSIBLE AND HASHIVAULT http://far-oeuf.com/.../...ansible-hashivault ANSIBLE LOOKUP PLUGIN FOR HV SECRETS https://github.com/jhaals/ansible-vault ANSIBLE MINNEAPOLIS MEETUP https://www.meetup.com/Ansible-Minneapolis/
@KeithResar @KeithResar THANKS!

More Related Content

PPTX
Using Puppet With A Secrets Server
conjur_inc
 
PDF
Recipe for good secrets management
Kevin Gilpin
 
PPTX
Security For Humans
conjur_inc
 
PDF
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
PPTX
DevSecOps in 10 minutes
kieranjacobsen
 
PDF
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
PDF
Troubleshooting tldr
Ligaya Turmelle
 
PPTX
Security Observability for Cloud Based Applications
John Varghese
 
Using Puppet With A Secrets Server
conjur_inc
 
Recipe for good secrets management
Kevin Gilpin
 
Security For Humans
conjur_inc
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
DevSecOps in 10 minutes
kieranjacobsen
 
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
Troubleshooting tldr
Ligaya Turmelle
 
Security Observability for Cloud Based Applications
John Varghese
 

What's hot (20)

PDF
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
PDF
Rootconf admin101
Ligaya Turmelle
 
PPTX
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
PDF
All Your Containers Are Belong To Us
Lacework
 
PDF
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
 
PDF
Kubernetes meetup k8s_aug_2019
dhubbard858
 
PDF
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
AWSCOMSUM
 
PDF
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
PPTX
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
Puppet
 
PPTX
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
Anand Tiwari
 
PPTX
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...
Anand Tiwari
 
PPTX
All access demystifying certs
Gary Williams
 
PPTX
hallenges of Monitoring Big Infrastructure - Icinga Camp Milan 2019
Icinga
 
PPTX
Archery - BlackHat Asia 2018
Anand Tiwari
 
PPTX
Lacework | Top 10 Cloud Security Threats
Lacework
 
PPTX
Best pratices reliability & scalability on Azure
Alex Danvy
 
PPTX
Pacu ~ Rhino Security
AWSMeetup
 
PPTX
DevSecOps - CrikeyCon 2017
kieranjacobsen
 
PPTX
Icinga @ OSMC 2014
Icinga
 
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
Rootconf admin101
Ligaya Turmelle
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
All Your Containers Are Belong To Us
Lacework
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
 
Kubernetes meetup k8s_aug_2019
dhubbard858
 
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
AWSCOMSUM
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
Puppet
 
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
Anand Tiwari
 
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...
Anand Tiwari
 
All access demystifying certs
Gary Williams
 
hallenges of Monitoring Big Infrastructure - Icinga Camp Milan 2019
Icinga
 
Archery - BlackHat Asia 2018
Anand Tiwari
 
Lacework | Top 10 Cloud Security Threats
Lacework
 
Best pratices reliability & scalability on Azure
Alex Danvy
 
Pacu ~ Rhino Security
AWSMeetup
 
DevSecOps - CrikeyCon 2017
kieranjacobsen
 
Icinga @ OSMC 2014
Icinga
 
Ad

More from Keith Resar (7)

PDF
Simple Tips and Tricks with Ansible
Keith Resar
 
PPTX
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Keith Resar
 
PPTX
Hosting For Your Startup, Side Project, or Big Dollar App - Minnebar 12
Keith Resar
 
PDF
Advanced Use of jinja2 for Templates
Keith Resar
 
PPTX
DevFestMN 2017 - Learning Docker and Kubernetes with Openshift
Keith Resar
 
PDF
Container Storage Best Practices in 2017
Keith Resar
 
PDF
Importing Code and Existing Containers to OpenShift - Minneapolis Docker Meet...
Keith Resar
 
Simple Tips and Tricks with Ansible
Keith Resar
 
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Keith Resar
 
Hosting For Your Startup, Side Project, or Big Dollar App - Minnebar 12
Keith Resar
 
Advanced Use of jinja2 for Templates
Keith Resar
 
DevFestMN 2017 - Learning Docker and Kubernetes with Openshift
Keith Resar
 
Container Storage Best Practices in 2017
Keith Resar
 
Importing Code and Existing Containers to OpenShift - Minneapolis Docker Meet...
Keith Resar
 
Ad

Recently uploaded (20)

PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 

Rotating Passwords With Ansible and HashiVault

  • 1. ROTATING PASSWORDS WITH ANSIBLE AND HASHIVAULT OUR PRACTICAL OVERVIEW OF SECRET MANAGEMENT BY INTEGRATING HASHICORP'S VAULT WITH ANSIBLE Keith Resar @KeithResar
  • 2. @KeithResar Keith Resar: Bio Wear many hats @KeithResar [email protected] Coder Open Source Contributor and Advocate Infrastructure Architect
  • 3. 7 PRINCIPLES OF DEVSECOPS ● Humans create poor quality passwords, let’s generate them automatically ● An automated task would allow increased password rotation frequency ● Continuous deployment of password rotations would be ideal ● An automated task can be tested, and will never go beyond its scope ● Storing the password in a shared-secret vault is our break glass ● Integrating with AD would be great, allowing seamless runtime access control ● Passwords should not be stored in Git, deploy scripts, etc
  • 5. ANSIBLE VAULT ENABLES STORING SENSITIVE DATA SUCH AS PASSWORDS OR KEYS IN ENCRYPTED FILES, RATHER THAN AS PLAINTEXT IN YOUR PLAYBOOKS OR ROLES.
  • 6. ANSIBLE VAULT ● No External dependencies ● Encrypt entire files or individual secrets ● Version control, commit alongside playbooks
  • 7. ANSIBLE VAULT USAGE > ansible-vault {create,rekey,edit,encrypt} foo.yml > ansible-playbook foo.yml --ask-vault-pass
  • 8. MOVING BEYOND ANSIBLE VAULT ● Storing static information vs. Dynamic database ● Separation of automation from secrets ● Supporting password leases
  • 14. WHAT’S NEXT ● Application Support ● Notifications ● Tests ● External verification of secret inventory and change date
  • 15. RESOURCES ROTATE PASSWORDS WITH ANSIBLE AND HASHIVAULT http://far-oeuf.com/.../...ansible-hashivault ANSIBLE LOOKUP PLUGIN FOR HV SECRETS https://github.com/jhaals/ansible-vault ANSIBLE MINNEAPOLIS MEETUP https://www.meetup.com/Ansible-Minneapolis/