피드 구독

Changing systems passwords is a common task that all systems administrators must do to keep up with all the latest security policies. Now with secrets being managed by the secrets management system, we need a way to integrate with that to keep and manage all the secrets safe while updating the systems passwords in a secure, safe and automated way to stay compliant with all the rules and regulations.

Red Hat Ansible Automation Platform makes this easy; there are so many ready-made playbook examples available to update any managed platform, such as Linux, Windows and many network devices.      https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html

Ansible Automation Platform also has built-in ready made integration with many secrets management. Certify, HashiCorp, CyberArk and Thycotic to name a few.

https://docs.ansible.com/automation-controller/latest/html/userguide/credential_plugins.html

This article is one opinionated way to configure Ansible Automation Platform and  the Ansible Playbooks required to rotate system passwords on the Red Hat Enterprise Linux server integrated with HashiCorp Vault. Let’s get started.

Installation of HashiCorp Vault is out of scope for this blog but it is easy to do. Here is a link to the installation doc.  https://support.hashicorp.com/hc/en-us/articles/5345962021523-Installing-Vault-Enterprise-RPM-package-on-Linux-RHEL-CentOS

Here is a screen shot of mysecret on HashiCorp Vault. Make note of the secrets path /cubbyhole/mysecret

Update Password on RHEL update_password.yml.  The Red Hat Ansible Lightspeed service suggested using the ansible.builtin.user module in this playbook. The debug module can be used to test the update_password variable and add no_log to the task to keep the password from leaking into logs.

---
- name: update rhel password
hosts: update_servers
become: true
tasks:
 
  # # Print User Pass and its updates
  # - name: Print User Pass and updated user pass
  #   ansible.builtin.debug:
  #     msg:
  #       - "update_username {{ update_username }}"
  #       - "update_password {{ update_password }}"
 
  # update user password
  # Content suggestion provided by Ansible Lightspeed
  - name: Update user password
    ansible.builtin.user:
      name: "{{ update_username }}"
      password: "{{ update_password | password_hash('sha512')  }}"
    no_log: True

Update Password on HashiVault  update_hashi_vault_secret.yml. This playbook uses the URI module to update the secret. Please note the unique URL that is for the secrets path you need to access. In this example below, it’s http://192.168.1.100:8200/v1/cubbyhole/mysecret

---
- name: Update HashiCorp Vault Secret using uri module
hosts: localhost
connection: local
gather_facts: no
tasks:
  - name: Set Vault address and token
    set_fact:
      vault_address: "http://192.168.1.100:8200"
      vault_token: "????????????"
      new_username: "some_username_to_update"
      new_password: "new_password_to_be_updated"
  - name: Update secret in Vault
    uri:
      url: "{{ vault_address }}/v1/cubbyhole/mysecret"
      method: POST
      headers:
        X-Vault-Token: "{{ vault_token }}"
      body_format: json
      body:
        {
          username: "{{ new_username }}",
          password: "{{ new_password }}"
        }
      status_code: 204
    register: vault_result
    no_log: True
  # - name: Print Vault result
  #   debug:
  #     var: vault_result

Create HashiCorp Vault Secret Lookup credentials

This is the secrets lookup plugin access to your HashiCorp Vault.

Create update_password custom credential type.

Why do we need a custom credential type? We need a way to pass the secrets password from HashiCorp Vault to the Ansible Playbook. This uses a simple username/password as input and then it updates extra vars update_user/update_password to its counterpart.

Create the credentials to update_userpass_mysecret

Now we need to use the custom credential type we just created to pull the secrets from the HashiCorp Vault. This pulls the latest secret from the secrets path /cubbyhole/mysecret

Create the Job template to update password on RHEL

It's time to bring it all together in this job template. The playbook update_password.yml you created at the beginning. Note that there are two credentials here. The first credential is the common machine type that allows Ansible Automation Platform to log into the device you are managing. The second credential is the one that was just created to pull the update_password from HashiCorp Vault. This playbook will use this extra var to update the latest password stored in the secret vault.

Create Job template to update new password on HashiVault’s “mysecret”

You can manually update the HashiCorp Vault secret, but why not automate that too using Ansible Automation Platform? Use the playbook update_hashi_vault_secret.yml and add in the new password as extra var and watch it update in the easy Ansible automated way.

Create Workflow Job Template

Now that you have the job template to update the HashiCorp Vault as well as the RHEL server, let's combine them as a one single automation task. Using the Workflow Job Template  makes this easy.

Create Schedule to update every 2 months

Scheduling this workflow is another great way to maintain compliance. The example here shows every 2 months, but please follow the policies of your own organization.

Summary

We were able to create playbooks to update passwords on the RHEL server as well as the HashiCorp Vault using built-in modules. We used built-in HashiCorp Vault credential type to integrate it with AAP and used custom credential type to create extra variables to send updated passwords to our Job Templates. This was all tied together as a single automation execution using the Workflow Job Template. Finally, we use the scheduling feature to schedule the workflow to meet the policy requirements.

Ansible Hunt QR Code:

Ansible Hunt

Where to go next


저자 소개

Joon Paik has helped build and design data centers for the past 20 years as a Network Engineer. Joon previously led a successful team to automate many of the manual tasks to automating via Ansible in a large financial organization. Now he uses that knowledge and experience to help organizations in the Financial Services Industry to automate the Enterprise infrastructure and procedures using Ansible Automation Platform.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리