When automating system configurations with Ansible, the hosts file plays a crucial role in defining your managed nodes and setting up authentication details. However, hardcoding sensitive information like passwords directly in the hosts file is a security risk. In this post, we’ll explore best practices for creating a secure Ansible hosts file using more robust and secure methods, such as SSH keys, Ansible Vault, and environment variables.

By the end of this guide, you’ll understand how to protect sensitive credentials while ensuring smooth and secure automation with Ansible. Let’s dive into the strategies that will help you keep your infrastructure safe without compromising on efficiency or scalability.

Below is an example of a hosts file with a simple method; using hard-coded credentials:

Better Practices for Authentication in Ansible

It is highly recommended to avoid hardcoding credentials, as this can lead to security vulnerabilities. Instead, use secrets management tools or opt for SSH keys as a more secure and efficient alternative.

Why Avoid Hardcoding Credentials?

Hardcoding passwords or other sensitive information in your configuration files, such as the hosts file, increases the risk of exposing credentials. This practice is vulnerable to unauthorized access, especially when repositories are shared or exposed to multiple people.

Addressing the alternative path of using SSH keys:

Set up SSH keys between local machine and the remote hosts
Add the public key to the ~/.ssh/authorized_keys file on the target hosts
Ensure that the private key is available on your local machine for Ansible to use

Ansible Vault (for Secrets Management):

If you need to use passwords (e.g. for sudo access or service accounts), Ansible Vault allows you to encrypt sensitive information, such as passwords, in a secure and manageable way.

You can encrypt your hosts file or create a separate encrypted file for passwords.
Use ansible-vault to create or edit encrypted files.

Example:

ansible-vault create passwords.yml

Inside of the passwords file you can have:

ansible_ssh_pass: "your_password"

You can then reference your password file in your playbook:

To run a playbook with Ansible Vault, you'll need to provide the Vault password:

`ansible-vault playbook.yml --ask-vault-pass`

Taking advantage of Environment Variables:

If you prefer not to hardcode passwords, you can also use environment variables to pass sensitive data. Ansible will automatically detect environment variable like "ANSIBLE_PASSWORD" and "ANSIBLE_SUDO_PASS" for connection and privilege escalation:

export ANSIBLE_PASSWORD='your_password'
export ANSIBLE_SUDO_PASS='your_sudo_password'

Then in your playbook, you can reference those variables without storing them in your hosts file. Keep in mind, Ansible will automatically read the environment variables without you needing to reference them in your playbook. You can use the vars section or in the ansible_ssh_pass and ansible_sudo_pass variables.

Example playbook where environment variables are automatically picked up:

If you want to reference the environment variables explicitly within the playbook, you can use the lookup plugin to read them:

In this example:

lookup('env', 'ANSIBLE_PASSWORD') will fetch the environment variable ANSIBLE_PASSWORD and assign it to ansible_ssh_pass.
Similarly, lookup('env', 'ANSIBLE_SUDO_PASS') will fetch the sudo password from the environment and assign it to ansible_sudo_pass.

One of the caveats to doing this is you're making it more clear to cyber threat actors as to what environment variables are high-value targets. Run the Playbook:

When you run the playbook, Ansible will automatically use the environment variables for authentication:

ansible-playbook playbook.yml

Ansible Configuration File (`ansible.cfg`):

You can also store connection-related settings in the ansible.cfg file, but it's still better to use SSH keys or Ansible Vault for security. Example of an Ansible configuration file:

Securing your Ansible hosts file is a vital step in ensuring your automation processes are both efficient and safe. By avoiding hardcoded passwords and leveraging SSH keys, Ansible Vault, and environment variables, you can protect sensitive data from potential exposure while maintaining smooth, secure configurations across your infrastructure.

While hardcoding credentials may seem like a quick solution, it poses significant security risks in the long run. Utilizing secrets management tools and secure authentication methods not only protects your environment but also aligns with best practices for DevOps and cybersecurity.

Remember, a well-secured Ansible setup will provide peace of mind and operational stability, allowing you to automate tasks with confidence. So, whether you're working on a small project or managing a large-scale infrastructure, implementing these practices will help ensure your automation is as secure as it is effective.

Thanks for reading! If you have any questions or need further assistance, feel free to leave a comment or reach out.

How to Create a Secure Ansible Hosts File: SSH, Vault, and Environment Variables