Feature: Support external key store service

semaphoreui / semaphore

Modern UI and powerful API for Ansible, Terraform, OpenTofu, PowerShell and other DevOps tools.

https://semaphoreui.com

MIT License

10.52k stars 1.06k forks source link

Feature: Support external key store service #2248

Open ilbarone87 opened 3 months ago

ilbarone87 commented 3 months ago

Related to

Configuration

Impact

security improvements

Missing Feature

Would be nice (in particular after the addition of support for TF and OT) and an improvement to security if a built-in feature would allow to pull secrets from external secrets vault like Hashicorp Vault, Azure Keyvaults or AWS KMS. Both competitors like AWX (built-in) and rundeck (with plugin) have already this present. Doing this trough playbooks in Anisble at the moment is not the best user experience.

Implementation

I’ll leave this to the contributors.

Design

No response

aleksandrgluhov commented 3 months ago

Upvote to this feature request, this can be useful to store kube config and other keys more convenient.

As a pure ansible solution I personally use this self-made sugar:

Variables file:

vault_url: "https://foo.bar"
vault_ansible:
  role_id: !vault |
    asdfasdfasdfasdf
  secret_id: !vault |
    asdfasdfasdfasdf

vault_ansible_auth: >
  auth_method=approle
  role_id={{vault_ansible.role_id}}
  secret_id={{ vault_ansible.secret_id }}
  url={{ vault_url }}

Template file:

application.secret_property={{ lookup('community.hashi_vault.hashi_vault', 'kv_storage/data/secret:key' + vault_ansible_auth) }}

lafayetteduarte commented 2 months ago

Omicron7 commented 1 month ago

https://github.com/semaphoreui/semaphore/pull/2360 adds support for Ansible vault password client scripts, which could solve some of this feature request. You'd need to write a client script that uses Hashicorp Vault, Azure Keyvaults or AWS KMS as a backend for a password for decrypting a vault.