We’ve recently come across the requirement to secure credentials referenced in Ansible playbooks.
In Ansible Tower, we secure the API key (and subsequent credentials) with CyberArk Conjur Secret Lookup type.
Now, credentials that are only referenced in the playbooks (not in Ansible Tower) exist just in the playbooks. We can authenticate and fetch the password with APIs, however that requires the API key.
Does anyone have any advice/thoughts on how to secure those API keys? We obviously don’t want them in clear text, and we’d like to make sure they are only accessible to the correct teams.
The idea would be to create a secrets.yml file that tells summon how to retrieve environment variable values as secrets variables from Conjur (https://github.com/cyberark/summon/#usage). You would then run the playbook as a subprocess of summon:
summon ansible-playbook ...
And summon would retrieve secrets/passwords from Conjur and inject them as environment variables before running Ansible. In this case summon would use the summon-conjur provider (https://github.com/cyberark/summon-conjur), with the Conjur access configuration described here.
You can store the secrets inside Ansible Tower and use the Conjur Secret Lookup to pull them.
You’re only allowed one (1) machine credential type on the Job Template in Tower, but you’re allowed to add additional Credential Types for use inside the playbooks during the run and you can reference their environment variables the Credential Type injects into.
I understand that @dane suggested Summon, but since this is Ansible Tower and it uses Job Isolation bubblewrap on the jobs being run, Summon will not work in this scenario. Summon would be a good choice if using the Ansible project and not Tower.
Thanks Joe and Dane! I’m going to touch base with our Ansible Tower team to see what’s feasible from their point of view. I like the looks of Joe’s solution, I’ll post here when I can confirm this works.