Scheduled command with protected personal credentials

Question

I'm not sure I have a clear title, but here is my story :

I'm working on an Openstack cloud (Openstack is not important here) and I need to set my username/password each time I need to call Openstack API, it's classic.

I created a program (with Ansible, but this is not important here) that build a website from Openstack data provided by its API. I need to execute it manually each time because I can't store my credentials.

Now, I want to automate it. How to create a scheduled task (with cron for example) that launch my script with my credentials. This tasks can't be changed except by me, credentials must be hidden, script called by task must be protected also (checksum check for example).

Constraints : On all virtual machines, we have (me and my team) an unique user to login and I want to protect my credentials even against root user.

Any tool that can help me to do that is welcome (cron, Jenkins, ...)

Answer 1

First - if you already use Ansible - then it would be a good idea to use it to run the task from a control server. If your systems are for example in production mode, then storing any credentials on them is not a good idea, because encrypting credentials needs other credentials and you don't want to store them on the same system unencrypted, so you start to encrypt them with.... you see.

So - using Ansible from a control machine which has access to all the system. You run there a playbook that makes the things that needs to be done on the target host. Then Ansible needs the credentials. They can be given via Ansible-vault. Of course that Ansible Vault has an internal credentials to encrypt/decript the ansible-vault, but you are on a control machine. And there must be an endpoint in your paranoia level. If you trust nobody, you cannot store any credentials and must enter them everytime. Ansible can be called via cron.

So

• create with ansible-vault a file with some encrypted params
• put that encrypted params in your host/group vars
• call the playbook with ansible-playbook --vault-password-file vault ..
• define a cronjob for that

Personally I replaced the cronjob with AWX. In that case you can define users that have access to the playbooks, inventory, etc. without having direct access to the content. You can configure schedules in AWX. There is also a docker-compose example for that.