SlideShare a Scribd company logo

Rotating Passwords With Ansible and HashiVault

K
Keith Resar

This document discusses integrating Hashicorp Vault with Ansible for automated secret and password management. It recommends generating passwords automatically rather than using human-created passwords. It also recommends storing secrets in Vault rather than in version control systems like Git to allow for increased rotation frequency and integration with systems like Active Directory. The document demonstrates configuring Vault as a secrets backend for Ansible and shows examples of rotating application keys and looking up secrets.

Technology
Related topics:
Red Hat Technologies
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ROTATING PASSWORDS WITH ANSIBLE AND HASHIVAULT OUR PRACTICAL OVERVIEW OF SECRET MANAGEMENT BY INTEGRATING HASHICORP'S VAULT WITH ANSIBLE Keith Resar @KeithResar
@KeithResar Keith Resar: Bio Wear many hats @KeithResar Keith.Resar@RedHat.com Coder Open Source Contributor and Advocate Infrastructure Architect
7 PRINCIPLES OF DEVSECOPS ● Humans create poor quality passwords, let’s generate them automatically ● An automated task would allow increased password rotation frequency ● Continuous deployment of password rotations would be ideal ● An automated task can be tested, and will never go beyond its scope ● Storing the password in a shared-secret vault is our break glass ● Integrating with AD would be great, allowing seamless runtime access control ● Passwords should not be stored in Git, deploy scripts, etc
ANSIBLE VAULT VS HASHICORP VAULT
ANSIBLE VAULT ENABLES STORING SENSITIVE DATA SUCH AS PASSWORDS OR KEYS IN ENCRYPTED FILES, RATHER THAN AS PLAINTEXT IN YOUR PLAYBOOKS OR ROLES.
ANSIBLE VAULT ● No External dependencies ● Encrypt entire files or individual secrets ● Version control, commit alongside playbooks
ANSIBLE VAULT USAGE > ansible-vault {create,rekey,edit,encrypt} foo.yml > ansible-playbook foo.yml --ask-vault-pass
MOVING BEYOND ANSIBLE VAULT ● Storing static information vs. Dynamic database ● Separation of automation from secrets ● Supporting password leases
Rotating Passwords With Ansible and HashiVault
HASHICORP VAULT PRIMER
HASHICORP VAULT VIA ANSIBLE
DEMO APPLICATION KEY ROTATION
DEMO SECRET LOOKUP
WHAT’S NEXT ● Application Support ● Notifications ● Tests ● External verification of secret inventory and change date
RESOURCES ROTATE PASSWORDS WITH ANSIBLE AND HASHIVAULT http://far-oeuf.com/.../...ansible-hashivault ANSIBLE LOOKUP PLUGIN FOR HV SECRETS https://github.com/jhaals/ansible-vault ANSIBLE MINNEAPOLIS MEETUP https://www.meetup.com/Ansible-Minneapolis/
@KeithResar @KeithResar THANKS!

More Related Content

PPTX
Using Puppet With A Secrets Server
conjur_inc
 
PDF
Recipe for good secrets management
Kevin Gilpin
 
PPTX
Security For Humans
conjur_inc
 
PDF
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
PPTX
DevSecOps in 10 minutes
kieranjacobsen
 
PDF
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
PDF
Troubleshooting tldr
Ligaya Turmelle
 
PPTX
Security Observability for Cloud Based Applications
John Varghese
 
Using Puppet With A Secrets Server
conjur_inc
 
Recipe for good secrets management
Kevin Gilpin
 
Security For Humans
conjur_inc
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
DevSecOps in 10 minutes
kieranjacobsen
 
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
Troubleshooting tldr
Ligaya Turmelle
 
Security Observability for Cloud Based Applications
John Varghese
 

What's hot (20)

PDF
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
PDF
Rootconf admin101
Ligaya Turmelle
 
PPTX
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
PDF
All Your Containers Are Belong To Us
Lacework
 
PDF
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
 
PDF
Kubernetes meetup k8s_aug_2019
dhubbard858
 
PDF
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
AWSCOMSUM
 
PDF
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
PPTX
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
Puppet
 
PPTX
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
Anand Tiwari
 
PPTX
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...
Anand Tiwari
 
PPTX
All access demystifying certs
Gary Williams
 
PPTX
hallenges of Monitoring Big Infrastructure - Icinga Camp Milan 2019
Icinga
 
PPTX
Archery - BlackHat Asia 2018
Anand Tiwari
 
PPTX
Lacework | Top 10 Cloud Security Threats
Lacework
 
PPTX
Best pratices reliability & scalability on Azure
Alex Danvy
 
PPTX
Pacu ~ Rhino Security
AWSMeetup
 
PPTX
DevSecOps - CrikeyCon 2017
kieranjacobsen
 
PPTX
Icinga @ OSMC 2014
Icinga
 
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
Rootconf admin101
Ligaya Turmelle
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
All Your Containers Are Belong To Us
Lacework
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
 
Kubernetes meetup k8s_aug_2019
dhubbard858
 
Serverless DevSecOps: Why We Must Make it Everyone's Problem | Hillel Solow
AWSCOMSUM
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
Puppet
 
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
Anand Tiwari
 
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...
Anand Tiwari
 
All access demystifying certs
Gary Williams
 
hallenges of Monitoring Big Infrastructure - Icinga Camp Milan 2019
Icinga
 
Archery - BlackHat Asia 2018
Anand Tiwari
 
Lacework | Top 10 Cloud Security Threats
Lacework
 
Best pratices reliability & scalability on Azure
Alex Danvy
 
Pacu ~ Rhino Security
AWSMeetup
 
DevSecOps - CrikeyCon 2017
kieranjacobsen
 
Icinga @ OSMC 2014
Icinga
 
Ad

Similar to Rotating Passwords With Ansible and HashiVault (20)

PPT
All Change! How the new economics of Cloud will make you think differently ab...
Steve Poole
 
ODP
User Credential handling in Web Applications done right
tladesignz
 
PDF
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv
 
PPTX
Zettaset Elastic Big Data Security for Greenplum Database
PivotalOpenSourceHub
 
PPTX
Have I Been Pwned and Cloudflare
StefnJkullSigurarson1
 
PPTX
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
PPTX
What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18
Cloudera, Inc.
 
PDF
Big data at AWS Chicago User Group - 2014
AWS Chicago
 
PPTX
Password Management System: Enhancing Security and Efficiency
jatniwalafizza786
 
PDF
Keepler | Full-Stack Serverless Applications on GCP
Keepler Data Tech
 
PPTX
HDInsight Interactive Query
Ashish Thapliyal
 
PPTX
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
adamleff
 
PDF
Serverless Architectures: Ein Survival Guide
OPEN KNOWLEDGE GmbH
 
PDF
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
PDF
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
PPTX
Quality code in wordpress
Ran Bar-Zik
 
PDF
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
PPTX
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
 
PDF
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Real-Time Innovations (RTI)
 
All Change! How the new economics of Cloud will make you think differently ab...
Steve Poole
 
User Credential handling in Web Applications done right
tladesignz
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv
 
Zettaset Elastic Big Data Security for Greenplum Database
PivotalOpenSourceHub
 
Have I Been Pwned and Cloudflare
StefnJkullSigurarson1
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
 
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18
Cloudera, Inc.
 
Big data at AWS Chicago User Group - 2014
AWS Chicago
 
Password Management System: Enhancing Security and Efficiency
jatniwalafizza786
 
Keepler | Full-Stack Serverless Applications on GCP
Keepler Data Tech
 
HDInsight Interactive Query
Ashish Thapliyal
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
adamleff
 
Serverless Architectures: Ein Survival Guide
OPEN KNOWLEDGE GmbH
 
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Quality code in wordpress
Ran Bar-Zik
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Real-Time Innovations (RTI)
 
Ad

More from Keith Resar (7)

PDF
Simple Tips and Tricks with Ansible
Keith Resar
 
PPTX
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Keith Resar
 
PPTX
Hosting For Your Startup, Side Project, or Big Dollar App - Minnebar 12
Keith Resar
 
PDF
Advanced Use of jinja2 for Templates
Keith Resar
 
PPTX
DevFestMN 2017 - Learning Docker and Kubernetes with Openshift
Keith Resar
 
PDF
Container Storage Best Practices in 2017
Keith Resar
 
PDF
Importing Code and Existing Containers to OpenShift - Minneapolis Docker Meet...
Keith Resar
 
Simple Tips and Tricks with Ansible
Keith Resar
 
Ansible Automation Best Practices From Startups to Enterprises - Minnebar 12
Keith Resar
 
Hosting For Your Startup, Side Project, or Big Dollar App - Minnebar 12
Keith Resar
 
Advanced Use of jinja2 for Templates
Keith Resar
 
DevFestMN 2017 - Learning Docker and Kubernetes with Openshift
Keith Resar
 
Container Storage Best Practices in 2017
Keith Resar
 
Importing Code and Existing Containers to OpenShift - Minneapolis Docker Meet...
Keith Resar
 

Recently uploaded (20)

PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Approach and Philosophy of On baking technology
30anthuong17
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
August Patch Tuesday
Ivanti
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 

Rotating Passwords With Ansible and HashiVault

  • 1. ROTATING PASSWORDS WITH ANSIBLE AND HASHIVAULT OUR PRACTICAL OVERVIEW OF SECRET MANAGEMENT BY INTEGRATING HASHICORP'S VAULT WITH ANSIBLE Keith Resar @KeithResar
  • 2. @KeithResar Keith Resar: Bio Wear many hats @KeithResar Keith.Resar@RedHat.com Coder Open Source Contributor and Advocate Infrastructure Architect
  • 3. 7 PRINCIPLES OF DEVSECOPS ● Humans create poor quality passwords, let’s generate them automatically ● An automated task would allow increased password rotation frequency ● Continuous deployment of password rotations would be ideal ● An automated task can be tested, and will never go beyond its scope ● Storing the password in a shared-secret vault is our break glass ● Integrating with AD would be great, allowing seamless runtime access control ● Passwords should not be stored in Git, deploy scripts, etc
  • 5. ANSIBLE VAULT ENABLES STORING SENSITIVE DATA SUCH AS PASSWORDS OR KEYS IN ENCRYPTED FILES, RATHER THAN AS PLAINTEXT IN YOUR PLAYBOOKS OR ROLES.
  • 6. ANSIBLE VAULT ● No External dependencies ● Encrypt entire files or individual secrets ● Version control, commit alongside playbooks
  • 7. ANSIBLE VAULT USAGE > ansible-vault {create,rekey,edit,encrypt} foo.yml > ansible-playbook foo.yml --ask-vault-pass
  • 8. MOVING BEYOND ANSIBLE VAULT ● Storing static information vs. Dynamic database ● Separation of automation from secrets ● Supporting password leases
  • 14. WHAT’S NEXT ● Application Support ● Notifications ● Tests ● External verification of secret inventory and change date
  • 15. RESOURCES ROTATE PASSWORDS WITH ANSIBLE AND HASHIVAULT http://far-oeuf.com/.../...ansible-hashivault ANSIBLE LOOKUP PLUGIN FOR HV SECRETS https://github.com/jhaals/ansible-vault ANSIBLE MINNEAPOLIS MEETUP https://www.meetup.com/Ansible-Minneapolis/