Skip to content

save_secrets

This is a role for saving secrets to Hashicorp Vault. It is has three modes of operation:

  • User accounts passwords - Will generate (if needed) and save the password for items in user_accounts, domain_user_accounts & admin_accounts lists to Vault.
  • Pregenerated secrets - Secrets are generated by the role and passed in as list for the role and the roles saves them to Vault if they do not already exist.
  • Auto-generated secrets - Secrets cannot be generated by the user but are generated automatically by some application and only shown once (API keys, tokens etc). In that case this role will save the secret to Vault overwriting any existing secret with the same name.

Refer to nova.core.accounts role for more information about the user_accounts, domain_user_accounts & admin_accounts lists.

Requirements

Vault server with LDAP authentication enabled needs to be running and accessible. It can be installed using the nova.core.vault role.

Role Variables

Refer to defaults/main.yml for the full list of variables, their default values and descriptions.

Required Variables

  • secrets_vault_address - Address of the Vault server ex. https://vault.example.com
  • secrets_vault_engine_path - Path to the secrets engine in Vault ex. kv
  • secrets_vault_secrets_path - Path to the under secrets under the secrets engine in Vault ex. secrets

Required Variables for Accounts Passwords

  • save_secrets_to_vault: true - Enable on a host or group_var to make sure that this role get's included in start.yml and items in user_accounts, domain_user_accounts & admin_accounts lists are saved to Vault.

Example

- name: Saving secrets to Vault...
  ansible.builtin.include_role:
    name: nova.core.secrets_to_vault
  vars:
    secrets_vault_address: https://vault.example.com
    secrets_vault_engine_path: kv
    secrets_vault_secrets_path: secrets
    secrets:
      # Predefined secret to save to vault under kv/data/secrets
      - key: secret1
        value: password1
      # Predefined secret with a random generated value to save to vault under kv/data/secrets
      - key: secret2
        value: "{{ lookup('password', '/dev/null length=32 chars=hexdigits') }}"
      # Predefined secret with a random generated value by the the role kv/data/secrets
      - key: secret3

- name: Saving secrets to Vault and overwriting any existing that match the key...
  ansible.builtin.include_role:
    name: nova.core.secrets_to_vault
  vars:
    secrets_vault_address: https://vault.example.com
    secrets_vault_engine_path: kv
    secrets_vault_secrets_path: secrets
    autogenerated_secret: true
    secrets:
      # Predefined secret with a random generated value to save to vault under kv/data/secrets
      - key: secret2
        value: "{{ lookup('password', '/dev/null length=32 chars=hexdigits') }}"

- name: Saving secrets to Vault and overwriting any existing that match the key per item...
  ansible.builtin.include_role:
    name: nova.core.secrets_to_vault
  vars:
    secrets_vault_address: https://vault.example.com
    secrets_vault_engine_path: kv
    secrets_vault_secrets_path: secrets
    secrets:
      # Predefined secret with a random generated value to save to vault under kv/data/secrets
      - key: secret2
        value: "{{ lookup('password', '/dev/null length=32 chars=hexdigits') }}"
        autogenerated_secret: true