Changing systems passwords is a common task that all systems administrators must do to keep up with all the latest security policies. Now with secrets being managed by the secrets management system, we need a way to integrate with that to keep and manage all the secrets safe while updating the systems passwords in a secure, safe and automated way to stay compliant with all the rules and regulations.
Red Hat Ansible Automation Platform makes this easy; there are so many ready-made playbook examples available to update any managed platform, such as Linux, Windows and many network devices. https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html
Ansible Automation Platform also has built-in ready made integration with many secrets management. Certify, HashiCorp, CyberArk and Thycotic to name a few.
https://docs.ansible.com/automation-controller/latest/html/userguide/credential_plugins.html
This article is one opinionated way to configure Ansible Automation Platform and the Ansible Playbooks required to rotate system passwords on the Red Hat Enterprise Linux server integrated with HashiCorp Vault. Let’s get started.
Installation of HashiCorp Vault is out of scope for this blog but it is easy to do. Here is a link to the installation doc. https://support.hashicorp.com/hc/en-us/articles/5345962021523-Installing-Vault-Enterprise-RPM-package-on-Linux-RHEL-CentOS
Here is a screen shot of mysecret on HashiCorp Vault. Make note of the secrets path /cubbyhole/mysecret
Update Password on RHEL update_password.yml. The Red Hat Ansible Lightspeed service suggested using the ansible.builtin.user module in this playbook. The debug module can be used to test the update_password variable and add no_log to the task to keep the password from leaking into logs.
---
- name: update rhel password
hosts: update_servers
become: true
tasks:
# # Print User Pass and its updates
# - name: Print User Pass and updated user pass
# ansible.builtin.debug:
# msg:
# - "update_username {{ update_username }}"
# - "update_password {{ update_password }}"
# update user password
# Content suggestion provided by Ansible Lightspeed
- name: Update user password
ansible.builtin.user:
name: "{{ update_username }}"
password: "{{ update_password | password_hash('sha512') }}"
no_log: True
Update Password on HashiVault update_hashi_vault_secret.yml. This playbook uses the URI module to update the secret. Please note the unique URL that is for the secrets path you need to access. In this example below, it’s http://192.168.1.100:8200/v1/cubbyhole/mysecret.
---
- name: Update HashiCorp Vault Secret using uri module
hosts: localhost
connection: local
gather_facts: no
tasks:
- name: Set Vault address and token
set_fact:
vault_address: "http://192.168.1.100:8200"
vault_token: "????????????"
new_username: "some_username_to_update"
new_password: "new_password_to_be_updated"
- name: Update secret in Vault
uri:
url: "{{ vault_address }}/v1/cubbyhole/mysecret"
method: POST
headers:
X-Vault-Token: "{{ vault_token }}"
body_format: json
body:
{
username: "{{ new_username }}",
password: "{{ new_password }}"
}
status_code: 204
register: vault_result
no_log: True
# - name: Print Vault result
# debug:
# var: vault_result
Create HashiCorp Vault Secret Lookup credentials
This is the secrets lookup plugin access to your HashiCorp Vault.
Create update_password custom credential type.
Why do we need a custom credential type? We need a way to pass the secrets password from HashiCorp Vault to the Ansible Playbook. This uses a simple username/password as input and then it updates extra vars update_user/update_password to its counterpart.
Create the credentials to update_userpass_mysecret
Now we need to use the custom credential type we just created to pull the secrets from the HashiCorp Vault. This pulls the latest secret from the secrets path /cubbyhole/mysecret
Create the Job template to update password on RHEL
It's time to bring it all together in this job template. The playbook update_password.yml you created at the beginning. Note that there are two credentials here. The first credential is the common machine type that allows Ansible Automation Platform to log into the device you are managing. The second credential is the one that was just created to pull the update_password from HashiCorp Vault. This playbook will use this extra var to update the latest password stored in the secret vault.
Create Job template to update new password on HashiVault’s “mysecret”
You can manually update the HashiCorp Vault secret, but why not automate that too using Ansible Automation Platform? Use the playbook update_hashi_vault_secret.yml and add in the new password as extra var and watch it update in the easy Ansible automated way.
Create Workflow Job Template
Now that you have the job template to update the HashiCorp Vault as well as the RHEL server, let's combine them as a one single automation task. Using the Workflow Job Template makes this easy.
Create Schedule to update every 2 months
Scheduling this workflow is another great way to maintain compliance. The example here shows every 2 months, but please follow the policies of your own organization.
Summary
We were able to create playbooks to update passwords on the RHEL server as well as the HashiCorp Vault using built-in modules. We used built-in HashiCorp Vault credential type to integrate it with AAP and used custom credential type to create extra variables to send updated passwords to our Job Templates. This was all tied together as a single automation execution using the Workflow Job Template. Finally, we use the scheduling feature to schedule the workflow to meet the policy requirements.
Ansible Hunt QR Code:
Where to go next
- Check out content from Red Hat Summit 2024!
- For further reading and information, visit the other blogs related to Ansible. Also please reference the Red Hat blog for more content on Ansible Automation Platform.
- Check out the YouTube playlist for everything about Ansible Collections to know more.
- Check out all our E-Books online here.
- Are you new to Ansible automation and want to learn? Check out our getting started guide on developers.redhat.com
저자 소개
Joon Paik has helped build and design data centers for the past 20 years as a Network Engineer. Joon previously led a successful team to automate many of the manual tasks to automating via Ansible in a large financial organization. Now he uses that knowledge and experience to help organizations in the Financial Services Industry to automate the Enterprise infrastructure and procedures using Ansible Automation Platform.
유사한 검색 결과
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.