Ansible controller link to the policy

Secrets Management - Conjur, Secrets Hub & CP Conjur Enterprise
, ,
1

Hello,

Following this doc: Managing Secrets in Red Hat Ansible Automation Playbooks

We have a policy created for a namespace (safe) coming across from CyberArk, the layer as shown in the doc, and the Host Factory and loaded into Conjur.

Our policy:


# Policy namespace for safe serv_ansible
- !host ansible_controller
- !policy
  id: SERV_ANSIBLE
  owner: !host ansible_controller

  # this creates a group for use in subsequent grant statements
  # the team we delegate management of the policy can manage members of the group
  body:
  - !group ansible_readonly

  # this allow use of the iam authenticator
  # the path to the group name is fully qualified to host - because the current context is root policy
- !grant
  role: !group conjur/authn-iam/prod/clients
  members: !group SERV_ANSIBLE/ansible_readonly

  # the group name appear in Conjur UI in the ID column of "Groups" tile
  # it can be assembled easily - most parts are static.
  # structure: vault_integration/lob user/safe name/delegation/consumers
  # the path to the group name is fully qualified to host - because the current context is root policy
- !grant
  role: !group prod_vault/<account>/SERV_ANSIBLE/delegation/consumers
  members: !group SERV_ANSIBLE/ansible_readonly

The one thing I am not able to understand is how the Ansible Controller (linux EC2 on AWS) where we are executing the playbook is linked to the Policy.

Please advise.

Thanks
Vamsi

2

Hi Vamsi,

There is a second policy you need to load into the SERV_ANSIBLE branch that defines the host and makes it a member of the ansible_readonly group.

Something like:

- &my-hosts
  - !host 33098445777234/IAM-Role
  
- !grant
  role: !group ansible_readonly
  member: *my-hosts

You’ll obviously need to update the host entry to match your AWS account number and IAM role name that you assign to the Ansible EC2 instance, then load it into SERV_ANSIBLE with conjur policy load SERV_ANSIBLE hosts.yaml.

Note: If you are using Ansible Tower, your play most likely won’t be able to fetch the IAM role from STS. Tower/AWX have a security control that isolates playbooks from being able to interact with the executor node. The above would only work for Ansible engine (not Tower or AWX).

2 Likes
3

Hi @vmaddirala!

First, I highly recommend reading our documentation on Ansible and Conjur integrations, which may clarify things for you. Essentially, each host is responsible for retrieving its own secrets, which is configured with the Ansible Conjur Host Identity, rather than all secrets being routed through the controller.

4

Thanks Nathan. I was able to solve it yesterday by granting the layer as a member to the readonly group. Thank you for the Ansible Tower insight.
The token on the conjurized node doesn’t expire based on the HF token duration is that expected?

Thanks!
Vamsi.

5

Hi Vamsi,

HostFactory tokens are redeemable for an identity (API key). API keys don’t have an expiry, only the host factory token being redeemed does. We rarely use HostFactory for this reason, as in most cases its just as easy to statically define an identity and build process around that API key lifecycle management.

Apologies for the references to an IAM role, your grant for the IAM webservice and use of an EC2 instance made me think you were using IAM roles to provide identity.

6

Thanks Nathan, I am really curious about the API Key Lifecycle Management, we obviously don’t have that implemented. I would like to know where to start, do you have a doc or a runbook on how to implement that in an automated fashion.

Thanks
Vamsi.

7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.