So, the main problem you’re facing is the fact that every server will require a unique password for the username account you’re currently accessing them with. What server OS, and what account name is it? Linux’s root user? Windows’ local administrator? These are good accounts to have the password rotated frequently, but they’re not usually a good idea to use directly for automation through things like Ansible.
If it is the root user, can you set up an ssh key to use instead of a password? Not only is it more secure than a password, but it would enable you to disable ssh password auth for root altogether (can still login from a tty or via su).
In either OS case, it’s generally common practice to have computers/servers joined to an identity management system, whether that’s Active Directory, RADIUS, IPA, or just plain old LDAP. If your servers are joined to such a management system, then you should be able to use your own user/admin account (or a service account) to access these servers and use become to elevate your privileges as needed without ever touching the local superuser accounts.
With all that said, I haven’t even touched on what to do with CyberArk and AWX. AWX has both a CyberArk Central Credential Provider Lookup and CyberArk Conjur Secrets Manager Lookup credential types. These are “lookup” credentials that enable you to configure other Credentials in AWX that hook into external vaults to fill in secrets data.
Here is an example of my own using TSS:
This isn’t magically looking up those secrets, I specifically told AWX what ID and Field fills out each credential property.
AWX also only allows a single Machine credential per job for authenticating to hosts with. So, even if you integrate CyberArk here, only one unique password will be available to use for all hosts in a given play. It won’t magically/dynamically lookup credentials per host.
It might be possible to use cyberark_credential in a custom role that dynamically looks up the password for your inventory hosts.
Something like:
# tasks file in fictional role: checkout_cyberark_password
- name: Retrieve CyberArk Credential
cyberark_credential:
api_base_url: "https://cyberark.company.com"
app_id: "TestID"
query: "Safe=test;UserName=admin;HostName={{ inventory_hostname }}"
fail_request_on_password_change: true
register: cyberark
delegate_to: localhost
- name: Set password to retrieved credential
set_fact:
ansible_password: "{{ cyberark.result.content }}"
no_log: true
# for convenience, add a skippable gather_facts step to the role
- name: Gather Facts
gather_facts:
when:
- gather_facts is defined
- gather_facts | bool
Then modify your playbooks to look somewhat like this:
- hosts: all
gather_facts: false # can't authenticate until credentials retrieved
roles:
- role: checkout_cyberark_password # must be first role in list, and there must be no 'pre_tasks:' tasks that requires authenticating to hosts
vars:
gather_facts: true
tasks:
- debug:
vars: ansible_facts
Take the above with a grain of salt. I haven’t used CyberArk myself, nor have I been forced to work with unique/randomized ansible_password’s in AWX. Using strictly Ansible cli, if you are using CyberArk’s conjur and Ansible’s lookup plugin for it, you could dynamically lookup the ansible_password as an inventory variable, or populate them ahead of time with a script that encrypts them with ansible-vault. However, AWX’s inventory sync doesn’t (yet) support vault encrypted variables (without embedding the vault password in the EE), and you will probably have a lot of chicken and egg problems with trying to set the password to something like ansible_password: "{{ lookup('cyberark.conjur.conjur_variable') }}".
TL;DR: I would try to get some kind of domain account for administrative duties and/or otherwise use an ssh key instead of password auth.
