Ansible Hashicorp Vault Storing vCenter Password

If you followed along that post, you will see how easy it is to get a working installation of Hashicorp Vault up and running on your Ubuntu 20.04 installation. Now that you have an installation of Hashicorp Vault, let’s put it to use in some VMware vSphere automation. I use Ansible a lot in the home lab for various tasks. It is a great place to start seeing the benefit of Vault and see how it can help secure automation in your environment. Let’s take a look at Ansible Hashicorp Vault store vCenter password and see how it can secure your connection to vCenter.

Automation is great but security must come first

While automation is great, we must also keep security at the forefront of any solution implemented. Security has become front and center in all business-critical processes and is part of DevOps as well. Many of us, myself included having in the past hardcoded passwords in flat files for a quick solution when working to get something up and running quickly.

Hardcoded passwords are dangerous. The password is freely visible in the files, variable files, and others and have virtually no security outside of the drive they reside on.

Securing Sensitive Information with Hashicorp Vault

Hashicorp Vault provides a very powerful solution to secure secrets of all varieties in a way they can be accessed without the danger that comes from hardcoding into flat files. It provides a very diverse set of access methods to access sensitive information such as passwords securely. Additionally, it allows securing access even further by restricting the accessing of those secrets even further by role name, the network address, and many other ways.

hashicorp vault provides a secure way to access sensitive information
Hashicorp vault provides a secure way to access sensitive information

Ansible Hashicorp Vault Storing vCenter Password

Ansible is a great configuration management platform that can greatly streamline many vSphere operations. Take a look at one example in my post here: Ansible Provisioning VMware with vmware_guest Example. It can help to easily automate your vSphere environment.

With each environment that Ansible interacts with, it needs a way to authenticate to the respective environment, including vSphere. Generally, you will authenticate Ansible to vCenter Server so you can interact with the environment as a whole, all hosts, virtual machines, etc.

In many of the examples that you see cited working with Ansible and vSphere, the vCenter Server passwords is shown to be hardcoded in a variables file. This means you are storing the key to your vCenter kingdom in your Ansible variables and is dangerous for any type of production use.

So, let’s talk about Ansible Hashicorp Vault storing vCenter password. How can we do this? The below walkthrough is going to assume a few things:

  • You have a working vCenter Server
  • You have a working Ansible environment
  • You have installed Hashicorp Vault and have this running

To get started with automating VMware vSphere and making use of Hashicorp Vault to store your vCenter Server credentials, we will follow the steps here:

  1. Create a new secrets engine
  2. Create a key-value pair
  3. Use the hashi_vault module to query Vault for the password
  4. Test you Ansible code with Hashicorp Vault

Step 1 – Create a new secrets engine

The first step with using Hashicorp Vault with Ansible is to creat a new secrets engine within Hashicorp Vault to serve out the vCenter Server password. This is going to be key value pair.

To create this from the command line of your Vault server, you use the following syntax:

vault secrets enable -tls-skip-verify -path=vcenter kv

This creates a new key value secrets engine to store the credentials.

Enabling the new key value store for ansible vault vcenter password
Enabling the new key value store for ansible vault vcenter password
After creating the new secrets engine and checking this in the hashicorp vault ui
After creating the new secrets engine and checking this in the hashicorp vault ui

As a note. I am creating a v1 version of the secrets engine. There is some quirkiness with the v2 secrets engine in Vault. I was able to get to the engine created and the values to pull, however, was not able to get the password to pull correctly. This will require a bit more tinkering as I am assuming there is a workaround.

Step 2 – Create a new key value pair

Next, we need to create the actual key that will store the password in the new secrets engine. To do that use the following:

vault kv put -tls-skip-verify vcenter/vcenter_pass password="Password"
Creating the password value for the new key value store for vcenter
Creating the password value for the new key value store for vcenter

You can open the UI and look at the new vcenter_pass key. Flag on the JSON view to look at the value.

Verifying the new password value in the hashicorp vault ui
Verifying the new password value in the hashicorp vault ui

We can see the password that has been set for the password field.

View the json version of the password value
View the json version of the password value

Step 3 – Use the hashi_vault module to query Vault for the password

The next step is where we finally implement this inside our Ansible playbook. Ansible has a special-purpose module called hashi_vault that allows querying Hashicorp Vault for secrets to use in the playbook.

Below, take note of the password and how we are using the hashi_vault module to lookup the secret in Hashicorp Vault. Here I am using a root token. You will want to create a special purpose token for this purpose and assign roles, ACLs around it. Also, the address is the address of the Vault server and also a note to ignore self-signed certificates warnings.

name: Clone multiple VMs
hosts: localhost 
gather_facts: false
vars_files: 
 multiple_vms_vault.yml
tasks: 
- name: Clone multiple VMs from template
  local_action:
    module: vmware_guest
    hostname: "{{ vcenter_hostname }}" 
    password: "{{ lookup('hashi_vault','secret=vcenter/vcenter_pass:password token=s.YyyofZhFMaxS5sxQlbpH9EkG url=https://10.1.149.22:8200 validate_certs=False') }}"    
    username: "{{ username }}"
    validate_certs: no      
    folder: "{{ folder }}"
    template: "{{ vmtemplate }}"
    name: "{{ item }}"
    cluster: "{{ vmcluster }}"
    datacenter: "{{ datacenter }}"
    state: "{{ state }}"
    customization_spec: "{{ customization_spec }}"
  with_items: "{{ servers }}" 

Testing the connection to vCenter Server from Ansible.

The last thing left to do is actually test the Ansible playbook which pulls vCenter Server credentials from Hashicorp Vault. As you can see below, it works.

Successful connection to vcenter server from ansible playbook pulling vcenter server password from hashicorp vault
Successful connection to vcenter server from ansible playbook pulling vcenter server password from hashicorp vault

Wrapping Up

As you can see, it isn’t too terribly difficult to get started using Hashicorp Vault in some basic Ansible automation. Once you have Vault up and running, in just a few minutes you can create your secrets engine, key value, and assign the password to a value. Then it is just a matter of using the hashi_vault module to query Vault for the credentials.

Post a Comment

0 Comments