Configuration management has completely changed the landscape regarding how we provision and maintain our working environments. Before, environments were painstakingly configured by hand and what worked in development didn’t always work in production. It could take hours if not days to figure out why.
Now with configuration tools at our side, that headache is a thing of the past. But because we live in a world filled with new technologies and services, it’s crucial that our chosen configuration management systems are simple to learn, easy to maintain, and remain highly secure.
Configuration Management: Simple to Learn. Easy to Maintain.
Today, Ansible has made a name for itself for having the largest and fastest growing configuration management community, and for good reasons. Ansible is a super powerful configuration management framework built in Python that users can get up and running in just a few short hours.
The usage of YAML as the basis for Ansible playbooks makes their code human readable, easy to digest and quick to learn. With its rapid adoption, many users are curious on how to best protect their environment and credentials from outside threats while continually leveraging Ansible.
Configuration Management: Securing your Sensitive Information
Configuration management frameworks do a great job working hand-in-hand with version control code repositories (GIT, SVN, etc). One issue that still remains is storing and protecting security credentials used by the code as it is deployed from environment to environment. For security, these credentials tend to be different for each environment, but are often captured in configuration files which are then stored within the version control system.
Because this sensitive data is available in the code repository where others have access, and on the hard drive of each environment, organizations are left with a real security vulnerability.
What can you do about it?
Your first thought may be to forgo putting any sensitive information in version control. The trouble with this approach is that the information has to be stored somewhere and has to be made available to the application in each of its environments. Without seamless access to these credentials, development, quality assurance, release management, and support teams will not be able to respond quickly to requests.
So what is the answer?
Secrets Management: Conjur and Ansible
One solution is Conjur, a secrets management platform built to remotely store sensitive information in an encrypted file store which can only be accessed by specific hosts with a given API key.
Below is a quick tutorial on how to use Conjur and Ansible together. We start by uploading the secret to Conjur.
After the secret has been uploaded, we create a host entry for a machine which should be able to view the sensitive information and upload the new configuration to our host machine. In this case, our host machine will be running Ansible.
Once our Ansible host has been configured using the “conjurize” script, we leverage a command-line tool called summon to inject our sensitive information into environment variables. The key associated with each Conjur entry we are looking for will be identified in a local file named secrets.yml
With our Ansible scripts looking for a password stored in the environment variable, we can move onto running the playbook by using summon.
And that’s it! Ultimately, sensitive information leveraged by Ansible will no longer have to be stored in version control and we can safely upload our secrets.yml file to go along with our Ansible code.
Configuration Management and Secrets Management: Summary
Having a configuration management tool is a great start in embracing efficient and repeatable DevOps practices, especially if your toolset is easy to learn, like Ansible. As a next step, consider how you are managing your application secrets. Conjur is a relatively new tool that secures your sensitive information while still allowing your teams to develop, test and deploy code without an added hassle.
To learn more about Ansible and Conjur, attend one of our upcoming roadshows. You can find more information on the roadshows and sign up by clicking the image below.