Skip to content

save_secrets

This is a role for saving secrets to Hashicorp Vault. It is has three modes of operation:

  • User accounts passwords - Will generate (if needed) and save the password for items in user_accounts, domain_user_accounts & admin_accounts lists to Vault.
  • Pregenerated secrets - Secrets are generated by the role and passed in as list for the role and the roles saves them to Vault if they do not already exist.
  • Auto-generated secrets - Secrets cannot be generated by the user but are generated automatically by some application and only shown once (API keys, tokens etc). In that case this role will save the secret to Vault overwriting any existing secret with the same name.

Refer to nova.core.accounts role for more information about the user_accounts, domain_user_accounts & admin_accounts lists.

Requirements

Vault server with LDAP authentication enabled needs to be running and accessible. It can be installed using the nova.core.vault role.

Role Variables

Refer to defaults/main.yml for the full list of variables, their default values and descriptions.

Required Variables

  • secrets_vault_address - Address of the Vault server ex. https://vault.example.com
  • secrets_vault_engine_path - Path to the secrets engine in Vault ex. kv
  • secrets_vault_secrets_path - Path to the under secrets under the secrets engine in Vault ex. secrets

Required Variables for Accounts Passwords

  • save_secrets_to_vault: true - Enable on a host or group_var to make sure that this role get's included in start.yml and items in user_accounts, domain_user_accounts & admin_accounts lists are saved to Vault.

Example

Saving accounts passwords or pre-deployment secrets to Vault

# In group_vars/all.yml or host_vars/hostname.yml
# Defining the admin accounts for the group or host and saving them to Vault on a very early stage of the deployment
admin_accounts:
  - username: admin # REQUIRED
    password: password1 # OPTIONAL, will be autogenerated if not defined
    save_password_to_vault: true # OPTIONAL, default: true, set to false to skip saving this account password to Vault
    secrets_vault_engine_path: secrets # OPTIONAL, default: value of secrets_vault_engine_path on a project level
    secrets_vault_secrets_path: admins # OPTIONAL, default: value of secrets_vault_secrets_path on a project level

# In group_vars/all.yml or host_vars/hostname.yml
# Defining secrets to save to Vault on a very early stage of the deployment
secrets_to_vault_pre_deploy_secrets:
  - key: db_user # REQUIRED
    value: pass1 # OPTIONAL, will be autogenerated if not defined
    secrets_vault_engine_path: db_secrets # OPTIONAL, default: value of secrets_vault_engine_path on a project level
    secrets_vault_secrets_path: database # OPTIONAL, default: value of secrets_vault_secrets_path on a project level
    autogenerated_secret: true # OPTIONAL, default: false, set to true to overwrite any existing secret with the same key

Passing the secrets list to the role

- name: Saving secrets to Vault...
  ansible.builtin.include_role:
    name: nova.core.secrets_to_vault
  vars:
    secrets_vault_address: https://vault.example.com
    secrets_vault_engine_path: kv
    secrets_vault_secrets_path: secrets
    secrets:
      # Predefined secret to save to vault under kv/data/secrets
      - key: secret1
        value: password1
      # Predefined secret with a random generated value to save to vault under kv/data/secrets
      - key: secret2
        value: "{{ lookup('password', '/dev/null length=32 chars=hexdigits') }}"
      # Predefined secret with a random generated value by the the role kv/data/secrets
      - key: secret3

- name: Saving secrets to Vault and overwriting any existing that match the key...
  ansible.builtin.include_role:
    name: nova.core.secrets_to_vault
  vars:
    secrets_vault_address: https://vault.example.com
    secrets_vault_engine_path: kv
    secrets_vault_secrets_path: secrets
    autogenerated_secret: true
    secrets:
      # Predefined secret with a random generated value to save to vault under kv/data/secrets
      - key: secret2
        value: "{{ lookup('password', '/dev/null length=32 chars=hexdigits') }}"

- name: Saving secrets to Vault and overwriting any existing that match the key per item...
  ansible.builtin.include_role:
    name: nova.core.secrets_to_vault
  vars:
    secrets_vault_address: https://vault.example.com
    secrets_vault_engine_path: kv
    secrets_vault_secrets_path: secrets
    secrets:
      # Predefined secret with a random generated value to save to vault under kv/data/secrets
      - key: secret2
        value: "{{ lookup('password', '/dev/null length=32 chars=hexdigits') }}"
        autogenerated_secret: true

- name: Saving secrets to Vault but each item to different engine and path...
  ansible.builtin.include_role:
    name: nova.core.secrets_to_vault
  vars:
    secrets_vault_address: https://vault.example.com
    secrets:
      # Predefined secret to save to vault under kv/data/secrets
      - key: secret1
        value: password1
        secrets_vault_engine_path: kv1
        secrets_vault_secrets_path: user01/secrets1
      # Predefined secret with a random generated value to save to vault under kv/data/secrets
      - key: secret2
        value: "{{ lookup('password', '/dev/null length=32 chars=hexdigits') }}"
        secrets_vault_engine_path: kv2
        secrets_vault_secrets_path: user02/secrets2
      # Predefined secret with a random generated value by the the role kv/data/secrets
      - key: secret3
        secrets_vault_engine_path: kv3
        secrets_vault_secrets_path: user03/secrets3