Morning Everyone
I am using Delinea Privilege Vault as an external secret vault for the various credentials I use in Ansible Automation Platform 2. This has been working excellently for passing credentials to hosts I connect to within my playbooks.
However, my needs have now evolved to where I now need to pass the secrets as parameters to commands I run within the playbook. I’ve come across the following documentation that discusses this (click here), but I noticed the lookup module requires a username/password or token to be passed as parameters of the lookup module.
Since OAuth is a widely used authorisation protocol with Cloud services (which developers are likely to use Ansible to interface with), I wanted to start a broader discussion here with developers about best practices and what Ansible developers are doing vis-a-vis requesting and expiring access tokens in playbooks.
Obviously, it makes sense to request a token at the beginning of the playbook and then expire the token as the last step of the playbook. The only problem I’m seeing there is that it requires me to pass the client_id and client_secret in as parameters into the playbook. Unless I specify no_log for that step, then those get credentials exposed in the headers of the token request. And, if I specify no_log I lose my ability to troubleshoot if there is ever an error thrown during the token request. And so, there starts one part of my conundrum.
So, my first question starts with, is there some built-in generic OAuth token request module I can use to request and expire an access_token? Something that would allow me to store the client_id and client_secret in Privilege Vault, which I would pass as parameters and the Ansible module/task would request the access_token and provide some debugging without exposing the client_id and client_secret?
And if that does not exist, then how are developers managing access tokens in your playbooks currently? Am I over thinking this?
Regards,
Tim