Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Arrow up icon
GO TO TOP
Network Automation Cookbook

You're reading from   Network Automation Cookbook Proven and actionable recipes to automate and manage network devices using Ansible

Arrow left icon
Product type Paperback
Published in Apr 2020
Publisher Packt
ISBN-13 9781789956481
Length 482 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
 Okasha Okasha
Author Profile Icon Okasha
Okasha
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Building Blocks of Ansible 2. Managing Cisco IOS Devices Using Ansible FREE CHAPTER 3. Automating Juniper Devices in the Service Providers Using Ansible 4. Building Data Center Networks with Arista and Ansible 5. Automating Application Delivery with F5 LTM and Ansible 6. Administering a Multi-Vendor Network with NAPALM and Ansible 7. Deploying and Operating AWS Networking Resources with Ansible 8. Deploying and Operating Azure Networking Resources with Ansible 9. Deploying and Operating GCP Networking Resources with Ansible 10. Network Validation with Batfish and Ansible 11. Building a Network Inventory with Ansible and NetBox 12. Simplifying Automation with AWX and Ansible 13. Advanced Techniques and Best Practices for Ansible 14. Other Books You May Enjoy

Securing secrets with Ansible Vault

When we are dealing with sensitive material that we need to reference in our Ansible playbooks, such as passwords, we shouldn't save this data in plain text. Ansible Vault provides a method to encrypt this data and therefore be safely decrypted and accessed while the playbook is running. In this recipe, we will outline how to use Ansible Vault in order to secure sensitive information in Ansible.

How to do it...

  1. Create a new file called decrypt_passwd as shown:
$ echo 'strong_password' > decrypt_passwd
  1. Using ansible-vault creates a new file called secrets, as shown here:
$ ansible-vault create --vault-id=decrypt_passwd secrets
  1. Add the following variables to this new secrets file:
ospf_password: ospf_P@ssw0rD
bgp_password: BGP_p@ssw0rd
  1. Create a new playbook called ansible_vault.yml, as shown here:
---
- name: Using Ansible vault
hosts: all
gather_facts: no
vars_files:
- secrets
tasks:
- name: Output OSPF passowrd
debug:
msg: "Router {{ hostname }} ospf Password {{ ospf_password }}"
when: inventory_hostname == 'csr1'

- name: Output BGP passowrd
debug:
msg: "Router {{ hostname }} BGP Password {{ bgp_password }}"
when: inventory_hostname == 'mx1'
  1. Run the playbook as shown here:
$ ansible-playbook --vault-id=decrypt_passwd ansible_vault.yml -i hosts

How it works..

We use the ansible-vault command to create a new file that is encrypted using a key specified by -- vault-id. We place this key/password in another file (which is called decrypt_passwd in our example) and we pass this file as an argument to vault-id. Inside this file, we can place as many variables as we need. Finally, we include this file as a variable file in the playbook using vars_files. The following is the content of the secret file in case we try to read it without decryption:

$ cat secrets
$ANSIBLE_VAULT;1.1;AES256
61383264326363373336383839643834386661343630393965656135666336383763343938313963
3538376230613534323833356237663532666363626462640a663839396230646634353839626461
31336461386361616261336534663137326265363261626536663564623764663861623735633865
3033356536393631320a643561623635363830653236633833383531366166326566623139633838
32633335616663623761313630613134636635663865363563366564313365376431333461623232
34633838333836363865313238363966303466373065356561353638363731616135386164373263
666530653334643133383239633237653034

In order for Ansible to decrypt this file, we must supply the decryption password (stored in a decrypt_passwd file in this example) via the --vault-id option. When we run ansible-playbook, we must supply this decryption password, otherwise the ansible-playbook fails, as shown here:

### Running the Ansible playbook without --vault-id 
$ansible-playbook ansible_vault.yml -i hosts
ERROR! Attempting to decrypt but no vault secrets found

There's more...

In case we don't want to specify the encryption/decryption password in the text file, we can use --ask-vault-pass with the ansible-playbook command in order to input the password while running the playbook, as shown here:

### Running the Ansible playbook with --ask-vault-pass
$ansible-playbook ansible_vault.yml -i hosts --ask-vault-pass
Vault password:
lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $15.99/month. Cancel anytime
Visually different images