Ansible Tower

A collection of Ansible plugins that interact with your Keeper account and can be used in your Ansible Tower automations.

Features

  • Store Secrets Manager configurations securely in Ansible Tower
  • Use Ansible Tower to manager and launch Ansible projects utilizing the Secrets Manager Ansible plugin which features:
    • Retrieving secrets from the Keeper vault to use in Ansible Playbooks
    • Updating the value of secrets in the Keeper Vault from Ansible
    • Copying files from the Keeper Vault
For a complete list of Keeper Secrets Manager features see the Overview

KSM Configuration

The first step in using Ansible Tower with Keeper Secrets Manager is to get and initialize a Base64 configuration. The Secret Manager Configuration document will explain how to get a configuration using the Keeper Secret Manager CLI or Commander CLI.
Using Commander CLI, add a new device can generate a Base64 configuration without using a one time access token.
keeper secrets-manager client add --app MyApp --config-init b64
The Keeper Secrets Manager CLI requires a one-time access token. This can be obtained from the Web Vault by adding a new device to an application.
$ ksm init default US:XXXX
Another way using the keeper_init_token role included in the Keeper Secrets Manager collection, which can used after Ansible Tower is setup. An example will appear at the end of this document.
The Base64 configuration can be added to the inventories, hosts, or templates variables sections. It can also be added to the playbook repository as an Ansible secret. The variable name is keeper_config.

Vault Credential

With the Base64 KSM configuration we need to create a vault credential. Under the Resources menu, select Credentials and click Add.
Give your Vault Credential a name, select Vault from the Credential Type dropdown, type in the password that was used to encrypt the secrets.yml file into the Vault Password field, then click Save.
The credential will be used when the Template is setup.

Execution Environment

To use the Keeper Secrets Manager plugins in Ansible Tower an Execution Environment containing the Keeper Secrets Manager SDK is required. This SDK is included in the Docker image keeper/keeper-secrets-manager-tower-ee. In your instance of Ansible Tower, select Execution Environment in the Administration menu, then click Add.
The Image value is docker.io/keeper/keeper-secrets-manager-tower-ee:latest or docker.io/keeper/keeper-secrets-manager-tower-ee:<tag> if there is a specific tag version.
The value for Pull should be set to Always pull container before running is you are using the latest tag. If you pin the tag to a specific tag version of keeper/keeper-secrets-manager-tower-ee then set the value to Only pull the image if not present before running.

Projects

Playbook Repository

Using the Keeper Security Manager collection from Ansible Galaxy

To use the Keeper Secrets Manager plugins in your projects, create a collections directory in your source repository, if one does not already exists. Then create, or add to, the file requirements.yml the following value.
---
collections:
- keepersecurity.keeper_secrets_manager

Storing the KSM Configuration

The Base64 KSM configuration can be stored in numerous places inside of Ansible Tower like in the inventories, hosts, and templates. The configuration is encrypted when stored in these locations.
For this project, the KSM configuration will be stored as an encrypted secret in the source repository. Add a YAML file called secrets.yml in a directory called defaults located in the root directory of the repository.
In this file add a key called keeper_config with the Base64 configuration as it's value.
---
keeper_config: ewogICAgImNsaWVudElk ... Y0tleUlkIjogIjEwIgp9
Then encrypt the secrets.yml file using ansible-vault.
Remember the password, it will be needed in Tower for a Vault Credential.
$ ansible-vault encrypt secret.yml
New Vault password:
Confirm New Vault password:
Encryption successful
At this point, if you look at your secrets.yml file, it should be encrypted.

Playbook

The directory structure should look like the following.
$ tree
.
├── collections
│   └── requirements.yml
├── defaults
│   └── secrets.yml
├── playbook_1.yml
└── playbook_2.yml
For our playbooks, the Keeper Secrets Manager collection is added to the playbook collections. The first task is to include the secrets.yml using the built-in action include_vars. That task also includes no_log: True to prevent the KSM configuration from being logged. This task needs to be performed before any of the plugins from the Keeper Secrets Manager collection.
Ansible Tower uses it's own stdout callback plugin. So using keeper_redact will not work. It's important to add no_log: True to tasks that may display secrets in the log.
---
- name: Playbook One
hosts: all
collections:
- keepersecurity.keeper_secrets_manager
tasks:
- include_vars:
file: "defaults/secrets.yml"
no_log: True
- name: "Make User SSH Directory, if does not exists"
file:
path: "/home/user/.ssh"
state: directory
recurse: yes
- name: "Copy SSH Keys"
keeper_copy:
notation: "OlLZ6JLjnyMOS3CiIPHBjw/field/keyPair[{{ item.notation_key }}]"
dest: "/home/user/.ssh/{{ item.filename }}"
mode: "0600"
loop:
- { notation_key: "privateKey", filename: "id_rsa" }
- { notation_key: "publicKey", filename: "id_rsa.pub" }

Project

Once you have added the collection to your source repository, a new Project can be created.
Make sure to select the Execution Environment that you create that uses the keeper/keeper-secrets-manager-tower-ee image.
In the example above, the source repository was Git with the appropriate details. Your company may use a different source control.
After it is saved, sync the playbooks to your Ansible Tower instance.

Template

In your instance of Ansible Tower, select Templates in the Resources menu, then click Add.
For Projects select the project that was just created that contain the playbooks. For Execution Environment select the execution environment what contains the Keeper Secrets Manager Tower EE docker image. For Playbook select a playbook from your source repository.
For Credentials select the Vault credential that will be used to decrypt the secrets.yml file in the Project's source repository. You can also select the credential to use for connection to your inventory servers.
Finish by clicking the Save button at the bottom of the page.

Launching a Template

The last step is to launch a template to create a job.
The include_vars task will import the KSM Base64 Configuration and decrypt it. The no_log: True will hide the configuration from the log. If it is not included, the configuration will be logged and viewable by anyone who has access to Ansible Tower.
With the configuration now in the available variables, the keeper_copy action can retrieve the public and private SSH key from the Keeper Vault and copy them into location on the remote machine.
See the Ansible Plugin documentation for all the Secrets Manager capabilities available to Ansible