yungezz commented 6 years ago

Proposal:

Author: @yungezz

Date: 2018-08-01

Status: New
Proposal type: (Modules enhancement)
Targeted release: 2.7
Associated PR: https://github.com/ansible/ansible/pull/42290
Estimated time to implement: 1 week

Motivation

Secrets used in Ansible playbooks, such as ssh key, are saved in environment variables or files on specific ansible control machine. This will cause setup/management effort when swtiching to new control machines. When secrets are updated, all copy will need be updated.

Problems

Security concern on secrets stored on control machine.
maintenance effort is big when secrets updating, ansible control machine changing.

Solution proposal

User stores secrets in Cloud(Azure Key Vault). Azure key Vault is a cloud service works as a secure secrets store. This addresses security concern.
Ansible will retrieve secrets stored in Azure Key Vault from anywhere. This makes secrets maintenance easy. Key rolling will be easy since Azure Key Vault secrets is versioned.
User will use secrets in tasks with below syntax:

   vars:
     new_password: !azurekeyvault | <your_vault_name>.vault.azure.net:<secret_name>(/<secret_version>)

   tasks:
   - name: update mysql root password
     mysql_user:
       name: root
       host: "{{ item }}"
       password: "{{ new_password }}
       priv: "*.*:ALL,GRANT"

Dependencies

Authentication to Azure Key Vault, this could be done via normal Azure authentication today via environment variables or ~/.azure/credentials. If auth plugin or cloud credential proposed turned out to be agreed, then authentication could leverage cloud credential.
SDK dependencies. Need consider the process to install azure-keyvault sdk dependencies.

More info

We have a PR here on implementation, and below is an example on how to use it:

 - name: copy
    copy:
      content=!azurekeyvault | !azurekeyvault:https://kvtesttest.vault.azure.net/:ansiblesecret
      dest=~/src/ansible-testapp/kvtest.txt