search

ansible-collections / microsoft.ad

Ansible collection for Active Directory management
GNU General Public License v3.0
39 stars 22 forks source link

Encrypt LAPS credentials with ansible-vault #100

Closed no-12 closed 7 months ago

no-12 commented 7 months ago
SUMMARY

It would be nice to have an option to encrypt the LAPS credentials fetched by the ldap inventory plugin with ansible-vault. This would make storing the LAPS credentials in AWX a little bit more secure and won't allow users with read permissions on the inventory to view the credentials. This would also be useful if you run this plugin without AWX to generate a "static" inventory file.

ISSUE TYPE
COMPONENT NAME

microsoft.ad.ldap inventory

jborean93 commented 7 months ago

Hi I'm not sure what the benefits of this would be as the LAPS password changes quite frequently and it's not really designed to be stored offline. I'm not 100% familiar with AWX, are you saying that having it run the dynamic inventory allows it to read the generated inventory?

You can use ansible-inventory to retrieve the the password details which you then can encrypt if you wish but this is something you have to do everytime the LAPS password is changed. For example I have this inventory configuration at microsoft.ad.ldap.yml

plugin: microsoft.ad.ldap

search_base: OU=Servers,DC=domain,DC=test

attributes:
  msLAPS-EncryptedPassword:
    ansible_user: (this.value | from_json).n
    ansible_password: (this.value | from_json).p

I can run the following to retrieve the username and password configured by LAPS:

$ ansible-inventory -i microsoft.ad.ldap.yml --host SERVER2022 --vars

{
    "ansible_host": "SERVER2022.domain.test",
    "ansible_password": "...",
    "ansible_user": "Administrator",
    "microsoft_ad_distinguished_name": "CN=SERVER2022,OU=Servers,DC=domain,DC=test"
}
no-12 commented 7 months ago

AWX runs any ansible inventory plugin and converts the resulting JSON to persistent objects in its DB.

So the idea was to run the inventory sync on a fixed schedule. Or an even more dynamic approach would be to use the Windows event of the LAPS password change to trigger an AWX callback to update the inventory and hence the LAPS password in AWX.

The rotation of the LAPS password is a little bit of a problem but it is manageable.

The problem I want to address with this issue is, that I want to allow the users to read the inventory and the corresponding host vars in AWX, but they should NOT be able to view the LAPS password in clear text.

jborean93 commented 7 months ago

I unfortunately think this might be a question more for AWX or a custom solution to check in your own encrypted values. You can whip up a script with ansible-inventory and jq to extract the values which is then piped to ansible-vault if you wanted to go your own way but if you are wanting something special with AWX that might be a question for them sorry.

no-12 commented 7 months ago

Yeah, I think you are right. Thank you for your feedback.