Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
5
Helpful
4
Replies

How to feed device login credential to Terraform or Ansible securely?

SIMMN
Spotlight
Spotlight

‎12-28-2022 02:08 PM

Say we have three admins who would login to the linux server running Terraform and Ansible to see the source files and execute. But I do not want any of them to see the networking device login credential.

For example, I want to automate configuration backup of a network built with 4 NXOS switches. I can get Terraform or Ansible playbook written properly. But I kinda having difficult time to figure out how to protect the nexus login credential which would be fed into the Terraform or Ansible during run time.

With Ansible, I could use Vault to encrypt the nexus login credential but I still need to supply the encryption key/password to perform decryption during playbook run...Without anyone to enter the key, I could put the encryption key into a file but how am I supposed to set the permission of the file to prevent others viewing the content while still maintain the automationn? If I set owner of the file to be root or a special group, then the execution of `ansible-playbook` would need `sudo`...

With Terraform, not clue so far...

0 Helpful
4 Replies 4

Alexander Stevenson
Cisco Employee
Cisco Employee

‎01-05-2023 10:46 AM

I'm not exactly sure how to implement this, as I haven't run into this yet, but here are some potential options:

 

HashiCorp Vault

https://www.vaultproject.io/

 

Digital Ocen

https://www.digitalocean.com/community/tutorials/how-to-protect-sensitive-data-in-terraform

 

terraform-provider-ansiblevault

https://meilleursagents.github.io/terraform-provider-ansiblevault/

 

Sharing sensitive variables between ansible and terraform (Proof of Concept)

https://medium.com/@V_Voronenko/sharing-sensitive-variables-between-ansible-and-terraform-9d3316a88b93

 

 

0 Helpful

SIMMN
Spotlight
Spotlight
In response to Alexander Stevenson

‎01-05-2023 10:55 AM

Thanks for the links. But they would still require minimum human inputs. For example, what if I want to schedule an ansible plan or terraform apply @ 1am every Sunday to login to all devices to perform configuration backup, I would not want to have someone to manually type in the credential to kick start the job while I still want to keep the credentials invisible...

0 Helpful

JesseRussell08468
Level 1
Level 1
In response to SIMMN

‎01-05-2023 11:03 AM

Using Ansible Tower or Ansible AWX you can inject an 'Approve/Deny' button for a workflow/playbook. 

How to add approval steps to Ansible Tower workflows

Alexander Stevenson
Cisco Employee
Cisco Employee
In response to JesseRussell08468

‎01-16-2023 11:21 AM

@JesseRussell08468 is correct, as AWX/Tower (AWX is the open-source version of Tower) provides role-based access control (RBAS). There has even been an effort to extend this capability for AWX to Terraform: https://github.com/mauromedda/terraform-provider-awx

Also, see 'awx Provider', which is an Ansible Tower Provider for handling Tower Projects with REST: https://registry.terraform.io/providers/nolte/awx/latest/docs

 

 

0 Helpful
Customers Also Viewed These Support Documents