Skip to content

Ansible Automation Platform (AAP) Integration#

Vault Setup#

Vault Policies#

Teams are responsible for setting up policies to give ansible access to specific secrets or paths. Use this terraform or the following CLI commands to setup a role to read any secrets at secret/ansible/*. Depending on which option you use, there are two different paths that will be needed.

Bash
vault policy write approle_ansible_access_policy - <<EOF
# Required path for community.hashi_vault.hashi_vault & AAP HashiCorp Vault Secret Lookup
path "secret/data/ansible/*" {
  capabilities = ["read"]
}

# Required path for community.hashi_vault.vault_kv2_get lookup
path "secret/ansible/*" {
  capabilities = ["read"]
}
EOF

Approle#

To create an approle, run this terraform or use the following CLI command and associate the policy that you created in the last step:

Bash
vault write auth/approle/role/ansible \
  token_policies="default,approle_ansible_access_policy" secret_id_ttl="365d"

role_id & secret_id#

Ansible will use a role_id & secret_id to authenticate to vault. The example terraform will automatically display the role_id, and you can run terraform output secret_id to obtain the secret_id. For production, the following CLI commands should likely be used instead so the secret_id is not stored to the terraform state.

Bash
# Read role-id
vault read auth/approle/role/ansible/role-id

# Create a secret-id
vault write -f auth/approle/role/ansible/secret-id

AAP Setup#

Use one of these Credential types to integrate with AAP

HashiCorp Vault Secret Lookup#

Use this Credential Type when you need AAP to access Vault and configure other Credentials in AAP. ie Machine Credentials, Source Credentials, Multiple Secret Values Credential.

This example utilizes the HashiCorp Vault Secret Lookup Credential Plugin

  1. Navigate to Automation Execution>Infrastructure>Credentials: Create Credential

  2. Fill out the following information (all other fields can be left blank):

    • Name i.e. secm_hcp_plugin_credential
    • Description i.e. Approle for AAP plugin to connect to Vault
    • Organization Your team's AAP organization
    • Credential Type HashiCorp Vault Secret Lookup
    • Server URL https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200
    • AppRole role_id role_id retrieved from vault when creating approle
    • AppRole secret_id secret_id retrieved from vault when creating approle
    • Namespace name admin/<CESI> or admin/<CESI>/<subteam> (i.e. admin/secm or admin/iam/appsec)

    • Path to Auth approle

      Note

      You will need to manually put approle in here. It will show up as approle in grayed text by by default, but it won't work unless you type it in.

    • API Version v2

  3. Save the credential (sometimes testing won't work unless you save it first)

  4. Re-edit the credential and click the Test button to test the credential

    AAP Vault Plugin Test

  5. You can now use this plugin to retrieve secrets values for other credential types. The following steps are for the UMN custom Single Secret credential type, but this can be used for other credential types as well.

  6. Navigate to Automation Execution>Infrastructure>Credentials: Create Credential

  7. Fill out the following information (all other fields can be left blank):

    • Name i.e. secm_hcp_plugin_credential
    • Description i.e. Approle for AAP plugin to connect to Vault
    • Organization Your team's AAP organization
    • Credential Type Single Secret Credential
    • single_secret Click the key icon
      • Select the name of the plugin credential created in step 2
      • Path to Secret secret/ansible/test
      • Key Name pizza

  8. Associate that newly created credential from step 5 to your AAP template

  9. Use this example playbook to print the test credential.

UMN HCP Vault#

Use this Credential Type to pass credential information in to a playbook so that when the playbook runs it can retrieve secrets from Vault

This example utilizes the community.hashi_vault ansible collection.

Note

To run locally with user permissions, see this article

  1. Navigate to Automation Execution>Infrastructure>Credentials: Create Credential

  2. Fill out the following information:

    • Name i.e. secm_hcp_credential
    • Description i.e. Approle for ansible to connect to Vault
    • Organization Your team's AAP organization
    • Credential Type UMN HCP Vault
    • ansible_hashi_vault_role_id role_id retrieved from vault in previous section
    • ansible_hashi_vault_secret_id secret_id retrieved from vault in previous section
    • ansible_hashi_vault_namespace admin/CESI or admin/CESI/subteam (i.e. admin/secm or admin/iam/appsec)

    AAP Vault Credential Setup

  3. Associate that newly created credential to your Job template

    AAP Vault Credential Association

  4. Select the devex-ee Execution Environment for your template (it has the community.hashi_vault collection and other prerequisites)

  5. Use the community.hashi_vault ansible collection. See this example playbook.