Ansible Tower
A collection of Ansible plugins that interact with your Keeper account and can be used in your Ansible Tower automations.
Features
Store Secrets Manager configurations securely in Ansible Tower
Use Ansible Tower to manager and launch Ansible projects utilizing the Secrets Manager Ansible plugin which features:
Retrieving secrets from the Keeper vault to use in Ansible Playbooks
Updating the value of secrets in the Keeper Vault from Ansible
Copying files from the Keeper Vault
For a complete list of Keeper Secrets Manager features see the Overview
KSM Configuration
The first step in using Ansible Tower with Keeper Secrets Manager is to get and initialize a Base64 configuration. The Secret Manager Configuration document will explain how to get a configuration using the Keeper Secret Manager CLI or Commander CLI.
Using Commander CLI, add a new device can generate a Base64 configuration without using a one time access token.
The Keeper Secrets Manager CLI requires a one-time access token. This can be obtained from the Web Vault by adding a new device to an application.
Another way using the keeper_init_token
role included in the Keeper Secrets Manager collection, which can used after Ansible Tower is setup. An example will appear at the end of this document.
The Base64 configuration can be added to the inventories, hosts, or templates variables sections. It can also be added to the playbook repository as an Ansible secret. The variable name is keeper_config.
Vault Credential
With the Base64 KSM configuration we need to create a vault credential. Under the Resources menu, select Credentials and click Add.
Give your Vault Credential a name, select Vault from the Credential Type drop-down, type in the password that was used to encrypt the secrets.yml
file into the Vault Password field, then click Save.
The credential will be used when the Template is setup.
Execution Environment
To use the Keeper Secrets Manager plugins in Ansible Tower an Execution Environment containing the Keeper Secrets Manager SDK is required. This SDK is included in the Docker image keeper/keeper-secrets-manager-tower-ee
. In your instance of Ansible Tower, select Execution Environment in the Administration menu, then click Add.
The Image value is docker.io/keeper/keeper-secrets-manager-tower-ee:latest
or docker.io/keeper/keeper-secrets-manager-tower-ee:<tag>
if there is a specific tag version.
The value for Pull should be set to Always pull container before running is you are using the latest tag. If you pin the tag to a specific tag version of keeper/keeper-secrets-manager-tower-ee
then set the value to Only pull the image if not present before running.
Projects
Playbook Repository
Using the Keeper Security Manager collection from Ansible Galaxy
To use the Keeper Secrets Manager plugins in your projects, create a collections
directory in your source repository, if one does not already exists. Then create, or add to, the file requirements.yml
the following value.
Storing the KSM Configuration
The Base64 KSM configuration can be stored in numerous places inside of Ansible Tower like in the inventories, hosts, and templates. The configuration is encrypted when stored in these locations.
For this project, the KSM configuration will be stored as an encrypted secret in the source repository. Add a YAML file called secrets.yml
in a directory called defaults
located in the root directory of the repository.
In this file add a key called keeper_config
with the Base64 configuration as it's value.
Then encrypt the secrets.yml
file using ansible-vault
.
Remember the password, it will be needed in Tower for a Vault Credential.
At this point, if you look at your secrets.yml file, it should be encrypted.
Playbook
The directory structure should look like the following.
For our playbooks, the Keeper Secrets Manager collection is added to the playbook collections. The first task is to include the secrets.yml
using the built-in action include_vars
. That task also includes no_log: True
to prevent the KSM configuration from being logged. This task needs to be performed before any of the plugins from the Keeper Secrets Manager collection.
Ansible Tower uses it's own stdout callback plugin. So using keeper_redact will not work. It's important to add no_log: True
to tasks that may display secrets in the log.
Project
Once you have added the collection to your source repository, a new Project can be created.
Make sure to select the Execution Environment that you create that uses the keeper/keeper-secrets-manager-tower-ee
image.
In the example above, the source repository was Git with the appropriate details. Your company may use a different source control.
After it is saved, sync the playbooks to your Ansible Tower instance.
Template
In your instance of Ansible Tower, select Templates in the Resources menu, then click Add.
For Projects select the project that was just created that contain the playbooks. For Execution Environment select the execution environment what contains the Keeper Secrets Manager Tower EE docker image. For Playbook select a playbook from your source repository.
For Credentials select the Vault credential that will be used to decrypt the secrets.yml
file in the Project's source repository. You can also select the credential to use for connection to your inventory servers.
Finish by clicking the Save button at the bottom of the page.
Launching a Template
The last step is to launch a template to create a job.
The include_vars
task will import the KSM Base64 Configuration and decrypt it. The no_log: True
will hide the configuration from the log. If it is not included, the configuration will be logged and viewable by anyone who has access to Ansible Tower.
With the configuration now in the available variables, the keeper_copy
action can retrieve the public and private SSH key from the Keeper Vault and copy them into location on the remote machine.
See the Ansible Plugin documentation for all the Secrets Manager capabilities available to Ansible
Last updated