Populate Ansible from Amazon secrets manager
Posted on Thu 03 September 2020 in Tech
One of the ways to improve your security and avoid passing around env files is to follow the twelve factor app and start populating your secrets from the environment. Another improvement is to pull those secrets from a known secret store, with features like rotation, auditing etc.
Requirements
- Ansible
- Have some secrets stored in AWS Secrets Manager
- Ansible should have access to the latest aws-cli command(secrets manager is a recent addition)
- Jq if you're storing json in your secrets
It's worth testing your AWS calls to just extract the secret you're interested in to stdout, from the terminal tests some calls like:
aws secretsmanager get-secret-value --secret-id some/secret/name --query SecretString --output text
Or for json you might do something like:
aws secretsmanager get-secret-value --secret-id secrets| jq --raw-output '.SecretString' | jq -r .API_KEY
Ansible Config
Once you have secrets manager outputting your secrets to stdout, you can utilise it in Ansible. In this example I'm outputting to an env file but this could but used anywhere in Ansible. Instead of outputting to a file you could set its own environment variables then spin up the project from Ansible without outputting to a file anywhere.
- name: Setting env with some secret
args:
executable: /bin/bash
shell: |
aws secretsmanager get-secret-value --secret-id some/secret/name --query SecretString --output text
register: some_secret
- name: pass response of ssm to .env file
become: no
blockinfile:
dest: '{{ some_environment_path }}/.env'
state: present
create: yes
marker: "# {mark} MY SECRET FROM AWS #"
block: |
SOME_SECRET='{{ some_secret.stdout }}'
And that's it! Anything I could've done better(which I'm sure there is), do let me know!