Securing API Keys Referenced in Ansible Playbooks

We’ve recently come across the requirement to secure credentials referenced in Ansible playbooks.

In Ansible Tower, we secure the API key (and subsequent credentials) with CyberArk Conjur Secret Lookup type.

Now, credentials that are only referenced in the playbooks (not in Ansible Tower) exist just in the playbooks. We can authenticate and fetch the password with APIs, however that requires the API key.

Does anyone have any advice/thoughts on how to secure those API keys? We obviously don’t want them in clear text, and we’d like to make sure they are only accessible to the correct teams.

Hi Sara,

Would it help in this case to use summon (https://github.com/cyberark/summon/) to set your Ansible playbook secrets as environment variables? You might need to modify the playbooks to use the ansible.buildin.env lookup (https://docs.ansible.com/ansible/latest/collections/ansible/builtin/env_lookup.html).

The idea would be to create a secrets.yml file that tells summon how to retrieve environment variable values as secrets variables from Conjur (https://github.com/cyberark/summon/#usage). You would then run the playbook as a subprocess of summon:

summon ansible-playbook ...

And summon would retrieve secrets/passwords from Conjur and inject them as environment variables before running Ansible. In this case summon would use the summon-conjur provider (https://github.com/cyberark/summon-conjur), with the Conjur access configuration described here.

Would this fit into your workflow?

You can store the secrets inside Ansible Tower and use the Conjur Secret Lookup to pull them.

You’re only allowed one (1) machine credential type on the Job Template in Tower, but you’re allowed to add additional Credential Types for use inside the playbooks during the run and you can reference their environment variables the Credential Type injects into.

For more information on the Credential Types available in Ansible Tower, check out this doc: https://docs.ansible.com/ansible-tower/latest/html/userguide/credentials.html#credential-types.

If you don’t see an Credential Type listed there that is relevant, you can create your own in Ansible Tower. Here’s an example of how I created a Credential Type for CyberArk PAS REST API credentials: https://github.com/infamousjoeg/ansible-tower-playbooks/tree/master/custom_credtypes/cyberark_pas_restapi.

I understand that @dane suggested Summon, but since this is Ansible Tower and it uses Job Isolation bubblewrap on the jobs being run, Summon will not work in this scenario. Summon would be a good choice if using the Ansible project and not Tower.

Let us know if you have any more questions!

Thanks Joe and Dane! I’m going to touch base with our Ansible Tower team to see what’s feasible from their point of view. I like the looks of Joe’s solution, I’ll post here when I can confirm this works.