2

I have problem with keeping my private ssh key on AWX, i know that it is encrypted but it is not as secure as i want it be.

Do you know secure way to use ssh private keys with AWX ?

Now i am using default Machine credentials and ssh is encrypted by AWX and stored in postgres db. It will be great to not store ssh on AWX at all but pass it only if needed (something like prompt on launch if it is impossible)

Xavier123
  • 71
  • 2
  • 8
  • 2
    How secure do you want it to be? How do you know it's not as secure? How secure is it right now? How do you tell how secure it is? What criteria do you use to tell how secure something is? What security requirements need to be satisfied? – Nikolay Hüttenberend Mar 02 '20 at 13:28
  • Now i am using default Machine credentials and ssh is encrypted by AWX and stored in postgres db. It will be great to not store ssh on AWX at all but pass it only if needed (something like prompt on launch if it is impossible) – Xavier123 Mar 02 '20 at 13:41
  • 2
    That's great. Could you please update your question with more details like that. What the current setup is. What your security concerns are. What you'd like to do differently. This would make it easier for people to share their knowledge on particular points as opposed to just giving generic, random pieces of information that might not even apply to your use case. – Nikolay Hüttenberend Mar 02 '20 at 13:46
  • The secure way I know is to create organizations, teams and users correctly in AWX, manage the permissions wisely and keep your AWX secret install key secure so that no one outside of entitled user can use the content of your postgres database. – Zeitounator Mar 02 '20 at 15:05

1 Answers1

2

Its possible to not keep ssh credentials at all in AWX. For that you'll have to make some adjustments. You do not require prompt on launch option. Remember in Job templates the ssh credentials are optional. The best place to keep your ssh credentials is in Ansible vault and store only vault credentials in AWX (job template ). You need to review how you define credentials and move that info out of your playbook/job into your inventory. https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#connecting-to-hosts-behavioral-inventory-parameters

Here are the changes made to achieve this -

  1. Make environment specific inventories - It is important to not change the state of a node part of any other environment, thus, helps to avoid surprises at runtime. https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#example-one-inventory-per-environment.

  2. Move credentials info. out of playbooks into inventories - You can setup up env. specific variables at your inventory level along with magic variables. Magic variables are known to Ansible. For example -
    ansible_connection, ansible_user, ansible_ssh_pass. Ansible understands ok, it has to login to machine over ssh using ansible_user, ansible_ssh_pass.
    This way you don't have to mention credentials at AWX Job Template and happily leave the machine credentials option empty at template level. https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.html#magic.
    Here is a snapshot of variables I define at inventory level.enter image description here

  3. Variables and vault - Notice the credentials section contains values as variable. Obviously, we do not want to expose any credentials as plaintext. therefore, it is important to follow Ansible best practise to let Ansible finds the variables in the unencrypted file and all sensitive variables come from the encrypted file. https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#variables-and-vaults.
    I maintain a variable file i.e. config file along with vault to get rendered at runtime in playbooks. You can create a subdirectory say vars and map the variables mentioned as value in inventory variables to a vars/var.yml file. vars.yml can have key defined as -

    ssh_secret_dev: "{{ vault_secret_pass }}"
    ssh_user_dev: username
    And encrypted vault file can have the final value -

    vault_secret_pass: very_secret_password

Why the big dance? Why not just define everything in vault and connect inventory variable with vault? This provides an extra layer of security where you can map secure credentials in variable file and extra confidential in vault. Obviously vault will be encrypted, so you need to mention vault credentials at Job template level. The credential section at Job Template level will only contain vault credentials enter image description here.

  1. Select prompt at launch for Inventory at Job Template level - As we are making WorkFlows environment specific not Job Templates, therefore, we can mention Inventory at WorkFlow level and select prompt on launch option at Job Template level to allow Inventory apply to all Job Templates that have prompt on launch option.
  2. Edit Playbooks to load those two variable files (vault.yml and vars.yml).
- hosts: localhost
  vars_files:
    - ./vars/vault.yml
    - ./vars/vars.yml
  gather_facts: no
  no_log: true
  tasks:
     - .....some tasks......

You can also make use of any variable you defined at inventory (which is not special ansible variables) and use them in your playbooks whose values can be picked from variable files.

Community
  • 1
  • 1
bosari
  • 1,922
  • 1
  • 19
  • 38