Secure automated ansible jobs: replace ssh key usage with hashi vault

expatcz · October 19, 2022, 6:18am

I’d like to avoid using the static ssh keypair of the ansible user which does automated deployments triggered by a pipeline. Hashi vault came into my mind. But I’ve no idea if this could be used for automated deployments. The issue I see is the initial proof of identity. For a personalized account this could be done when he enters some credentials which could be verified against all kinds of authention backends. (ldap, aws, github,…)

But how could a technical account proof it’s identity without providing an initial truth like a token, ssl cert, any other kind of key / credential ? Is that possible at all?

What I’ve seen so far, is just transferring the secrets into vault, but the key to the vault is visible anyway. Which does not make any sense in my opinion, but just increases complexity.

Any thoughts on that?

Joffrey · October 19, 2022, 9:09am

If you use a Gitlab Pipeline, you can use JWT Auth. For example, I have a gitlab pipeline that use Packer to build template on Vsphere. My packer need to have an account on my Vsphere and this account is managed the Active Directory engine.

So, I have a JWT auth enable and a role that has a policy to read this vsphere password.

My pipeline start with :

- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=gitlab-packer-master jwt=$CI_JOB_JWT)"

Now, My packer has a token and a policy.
It’s the same with ansible.

Topic		Replies	Views
Automation of "vault login" command using ansible Vault vault	0	243	July 31, 2023
Vault integration with Nomad - Workload identities, JWT, and custom CA Vault	3	35	May 9, 2025
Vault Integration with Gitlab Vault vault	2	1416	November 30, 2021
Ask for good use of tokens Vault	3	288	January 20, 2023
Auto unseal vault using a Pod Identity Vault	0	326	January 20, 2023

Secure automated ansible jobs: replace ssh key usage with hashi vault

Related topics