We have been using Ansible for some time now and one of the biggest problems we have with Ansible are secret variables. Ansible Vault is a nice solution to this problem, but it makes Ansible a little harder to use. Lookup plugin is awesome for automatically generating secrets, but the problem is that those secrets need to be generated on the management host and because of that you can run Ansible only on that host. This makes this approach inconvenient in multi-user environments.
So what we wanted to have is a combination of the two:
automatic secret generating
multi-user friendly
My colleague did some thinking about it and he came up with a secrets module. We didn’t do any coding yet, but I wanted to see if there is any interest in something like that before we start. I would like to mention that we didn’t define how every part of the module would work, but just did some brainstorming.
Secrets would be generated on the managed hosts and saved into a directory like /etc/ansible/secrets (this could be defined in a configuration file):
This would make it easy to work with passwords the same as when using lookup plugins, e.g.:
postgres_password: {{ secret('postgres_password', length=30) }}
the parameter for the secret module is basically a key to which the password will be saved.
It would also work with multi-user environments, since the secrets will be saved on the managed hosts themselves it won’t matter from what server Ansible is run.- We are not sure if it would be possible to make this plugin work as the lookup plugin works in group/host_vars, or would it need to be a module which is called as a task which generates a secret during play execution and sets a fact or something similar.
There could be a possible problem with permissions when the remote_user is different, but there should be a nice solution to this.
I know this isn’t more than an idea, but I think having something like this would make it extremely easy to work with secrets/passwords. What do you think about this idea?
Maybe not exactly your use case, but in some parts similar,
I work on an open source project, where users are working distributed. We have secrtets to share in ansible, but don’t wanted to have a “shared secret” for the vault. Therefor we use gpg to encrypt the vault-password file with everyones gpg pubkey and have an alias defined which automatically will decrypt it, if not yet decrypted.
So the password lookup plugin does something like this already - namely it generates values, stores them in files, and reuses those values if the file already exists.
It would also work with multi-user environments, since the secrets will be saved on the managed hosts themselves it won’t matter from what server Ansible is run."
This part I have some concern with, as I generally view managed hosts as less-trustworthy, and things that should have less information, rather than more.
So the password lookup plugin does something like this already - namely it generates values, stores them in files, and reuses those values if the file already exists.
I know about the lookup plug-in, I mentioned that we use it and it’s great. The only problem is that you always have to use the same host to run Ansible, which is inconvenient if you have more than one person working with Ansible.
"
It would also work with multi-user environments, since the secrets will be saved on the managed hosts themselves it won’t matter from what server Ansible is run."
This part I have some concern with, as I generally view managed hosts as less-trustworthy, and things that should have less information, rather than more.
I don’t exactly see what is the problem here regarding security, since only the secretes which are used on a particular host will be saved on that host. They are saved on the host machine anyway, one way or another, e.g. in a an application configuration file, or .pgpass, or my.cnf,… The directory in which the secrets would be saved would be readable only to the admin users which are used by Ansible to manage the host, which is not more or less secure than the other places those secrets are saved on the managed host.