Populate Ansible from Amazon secrets manager

Posted on Thu 03 September 2020 in Tech

One of the ways to improve your security and avoid passing around env files is to follow the twelve factor app and start populating your secrets from the environment. Another improvement is to pull those secrets from a known secret store, with features like rotation, auditing etc.

Requirements

  • Ansible
  • Have some secrets stored in AWS Secrets Manager
  • Ansible should have access to the latest aws-cli command(secrets manager is a recent addition)
  • Jq if you're storing json in your secrets

It's worth testing your AWS calls to just extract the secret you're interested in to stdout, from the terminal tests some calls like:

aws secretsmanager get-secret-value --secret-id some/secret/name --query SecretString --output text

Or for json you might do something like:

aws secretsmanager get-secret-value --secret-id secrets| jq --raw-output '.SecretString' | jq -r .API_KEY

Ansible Config

Once you have secrets manager outputting your secrets to stdout, you can utilise it in Ansible. In this example I'm outputting to an env file but this could but used anywhere in Ansible. Instead of outputting to a file you could set its own environment variables then spin up the project from Ansible without outputting to a file anywhere.

- name: Setting env with some secret
  args:
    executable: /bin/bash
  shell: |
    aws secretsmanager get-secret-value --secret-id some/secret/name --query SecretString --output text
  register: some_secret

- name: pass response of ssm to .env file
  become: no
  blockinfile:
    dest: '{{ some_environment_path }}/.env'
    state: present
    create: yes
    marker: "# {mark} MY SECRET FROM AWS #"
    block: |
      SOME_SECRET='{{ some_secret.stdout }}'

And that's it! Anything I could've done better(which I'm sure there is), do let me know!