The authentication of the playbook with Hashicorp vault in the playbooks was done in two ways:
– using a username and password in the playbook itself (which I discourage; then the authentication is readable).
– using a “authentication token” in the playbook.
The “authentication token” is obtained from vault using a username and password, and expires, so specifying that in a playbook does only spill the token. Please mind an authentication token and expires after a specified time, so it needs to created and provided just before execution, and should expire thus not being usable anymore.
There is an additional method for the playbook to authenticate itself to vault that can be used, which I spoiled in the title of this blogpost: using a certificate. You could argue that a certificate is just a longer version of a token.
I my opinion the principal difference is that a certificate is in a file, which can be produced upfront, made available before running the playbook(s), and removed afterwards. The authentication token is provided in the playbook itself.
This is how certificate based authentication is enabled on vault:
Set environment variables on the vault server to talk to it.
$ . ./vault.env $ . ./set_root_token.sh
Create a certificate.
$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout demo_key.pem -out demo_cert.pem
Enable certificate based authentication and upload the certificate, and bind it to policies.
$ vault auth enable cert $ vault write auth/cert/certs/demo display_name=demo policies="test_read_kv-v2,test_read_kv" certificate=@demo_cert.pem
(please mind this assumes you created the demo setup as described in First steps with Hashicorp Vault and Ansible, otherwise you won’t have the policies test_read_kv and test_read_kv-v2 available to assign it to)
Now with the certificate available and loaded in vault, we can point to it in a playbook, which then uses the certificate to authenticate itself with vault for obtaining the secrets.
This is the playbook: demo playbook with certificate based authentication for vault
It’s important to understand that the lookup is done on the ansible master node, not on the managed node(s), so you only need to place the certificate (temporarily) there, and only need to open up the vault port for the ansible master node. This is also true for other authentication mechanisms using the hashi_vault lookup filter.