Headline
Easily integrate Secrets Management System with Ansible Automation Platform to update systems passwords
Changing systems passwords is a common task that all systems administrators must do to keep up with all the latest security policies. Now with secrets being managed by the secrets management system, we need a way to integrate with that to keep and manage all the secrets safe while updating the systems passwords in a secure, safe and automated way to stay compliant with all the rules and regulations.Red Hat Ansible Automation Platform makes this easy; there are so many ready-made playbook examples available to update any managed platform, such as Linux, Windows and many network devices. ht
Changing systems passwords is a common task that all systems administrators must do to keep up with all the latest security policies. Now with secrets being managed by the secrets management system, we need a way to integrate with that to keep and manage all the secrets safe while updating the systems passwords in a secure, safe and automated way to stay compliant with all the rules and regulations.
Red Hat Ansible Automation Platform makes this easy; there are so many ready-made playbook examples available to update any managed platform, such as Linux, Windows and many network devices. https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html
Ansible Automation Platform also has built-in ready made integration with many secrets management. Certify, HashiCorp, CyberArk and Thycotic to name a few.
https://docs.ansible.com/automation-controller/latest/html/userguide/credential_plugins.html
This article is one opinionated way to configure Ansible Automation Platform and the Ansible Playbooks required to rotate system passwords on the Red Hat Enterprise Linux server integrated with HashiCorp Vault. Let’s get started.
Installation of HashiCorp Vault is out of scope for this blog but it is easy to do. Here is a link to the installation doc. https://support.hashicorp.com/hc/en-us/articles/5345962021523-Installing-Vault-Enterprise-RPM-package-on-Linux-RHEL-CentOS
Here is a screen shot of mysecret on HashiCorp Vault. Make note of the secrets path /cubbyhole/mysecret
Update Password on RHEL update_password.yml. The Red Hat Ansible Lightspeed service suggested using the ansible.builtin.user module in this playbook. The debug module can be used to test the update_password variable and add no_log to the task to keep the password from leaking into logs.
---
- name: update rhel password
hosts: update_servers
become: true
tasks:
# # Print User Pass and its updates
# - name: Print User Pass and updated user pass
# ansible.builtin.debug:
# msg:
# - "update_username {{ update_username }}"
# - "update_password {{ update_password }}"
# update user password
# Content suggestion provided by Ansible Lightspeed
- name: Update user password
ansible.builtin.user:
name: "{{ update_username }}"
password: "{{ update_password | password_hash('sha512') }}"
no_log: True
Update Password on HashiVault update_hashi_vault_secret.yml. This playbook uses the URI module to update the secret. Please note the unique URL that is for the secrets path you need to access. In this example below, it’s http://192.168.1.100:8200/v1/cubbyhole/mysecret.
---
- name: Update HashiCorp Vault Secret using uri module
hosts: localhost
connection: local
gather_facts: no
tasks:
- name: Set Vault address and token
set_fact:
vault_address: "http://192.168.1.100:8200"
vault_token: "????????????"
new_username: "some_username_to_update"
new_password: "new_password_to_be_updated"
- name: Update secret in Vault
uri:
url: "{{ vault_address }}/v1/cubbyhole/mysecret"
method: POST
headers:
X-Vault-Token: "{{ vault_token }}"
body_format: json
body:
{
username: "{{ new_username }}",
password: "{{ new_password }}"
}
status_code: 204
register: vault_result
no_log: True
# - name: Print Vault result
# debug:
# var: vault_result
Create HashiCorp Vault Secret Lookup credentials
This is the secrets lookup plugin access to your HashiCorp Vault.
Create update_password custom credential type.
Why do we need a custom credential type? We need a way to pass the secrets password from HashiCorp Vault to the Ansible Playbook. This uses a simple username/password as input and then it updates extra vars update_user/update_password to its counterpart.
Create the credentials to update_userpass_mysecret
Now we need to use the custom credential type we just created to pull the secrets from the HashiCorp Vault. This pulls the latest secret from the secrets path /cubbyhole/mysecret
Create the Job template to update password on RHEL
It’s time to bring it all together in this job template. The playbook update_password.yml you created at the beginning. Note that there are two credentials here. The first credential is the common machine type that allows Ansible Automation Platform to log into the device you are managing. The second credential is the one that was just created to pull the update_password from HashiCorp Vault. This playbook will use this extra var to update the latest password stored in the secret vault.
Create Job template to update new password on HashiVault’s “mysecret”
You can manually update the HashiCorp Vault secret, but why not automate that too using Ansible Automation Platform? Use the playbook update_hashi_vault_secret.yml and add in the new password as extra var and watch it update in the easy Ansible automated way.
Create Workflow Job Template
Now that you have the job template to update the HashiCorp Vault as well as the RHEL server, let’s combine them as a one single automation task. Using the Workflow Job Template makes this easy.
Create Schedule to update every 2 months
Scheduling this workflow is another great way to maintain compliance. The example here shows every 2 months, but please follow the policies of your own organization.
Summary
We were able to create playbooks to update passwords on the RHEL server as well as the HashiCorp Vault using built-in modules. We used built-in HashiCorp Vault credential type to integrate it with AAP and used custom credential type to create extra variables to send updated passwords to our Job Templates. This was all tied together as a single automation execution using the Workflow Job Template. Finally, we use the scheduling feature to schedule the workflow to meet the policy requirements.
Ansible Hunt QR Code:
Ansible Hunt
Where to go next
- Check out content from Red Hat Summit 2024!
- For further reading and information, visit the other blogs related to Ansible. Also please reference the Red Hat blog for more content on Ansible Automation Platform.
- Check out the YouTube playlist for everything about Ansible Collections to know more.
- Check out all our E-Books online here.
- Are you new to Ansible automation and want to learn? Check out our getting started guide on developers.redhat.com