I’ve recently finished a deployment project that required me to put together an ad-hoc automation proof of concept to showcase what the in-house team (which until then had been shifting through the gears in manual) could achieve through automation.
Choosing Ansible for this piece of work seemed a logical option, but it was only when the team started to take a real interest in its features that I had to revisit the reasons why I think Ansible stands out as such a strong contender in the field of IT automation tools.
Despite the wide choice of automation tools available, this proof of concept demonstrated exactly why Ansible remains a firm favourite for all flavours of deployment and configuration projects. For example, if you don’t have root privileges, or your time is limited, and you don’t want to wait for agents to be installed or firewalls to be opened, Ansible offers a robust solution with the following key features:
- It’s highly stable
- It doesn’t require root user
- It’s agent-less (no additional components required!)
- It supports SSH protocol
- It has a simple setup process
- It has a low learning requirement
With its simple set up process, and highly accessible nature, Ansible is a useful tool for anyone - beginner or otherwise - looking to automate deployment of applications or systems. What’s more, with Ansible you can show your ideas directly from your laptop without having to add components to your client infrastructure, which makes everything easier and faster.
Whilst I’m not about to get stuck into all the components of Ansible, I thought it might be worthwhile to offer an insight into what I consider to be one of its most effective features: Ansible Vault.
Starting in version 1.5, Ansible released “vault”, a new feature that allows you to store sensitive information in encrypted files. In the vault you can store usernames, passwords, commands or any other information you would want to protect. Within the Vault it is also possible to store binary files.
Software / set up
To demonstrate the ease with which you can use vault within Ansible, I connected to a remote server using a username and password, firstly with the information stored (transparently) in the Ansible host file, and then with the information stored in an encrypted vault file.
For this, my setup was quite simple, 1 machine with Ansible (127.0.0.1), and a remote server (192.168.0.8)
First, we need to create our Ansible hosts file with the list of the hosts that will be managed by Ansible
We can test if we our Ansible setup is working by simply pinging all the hosts in the hosts file:
By default Ansible use ssh key as authentication method and the current user, if we want to specify the password we need to use the option --ask-pass, if we want to change the user, we need to use the option --user
Now, we create two host_vars files (one per each host) and add the passwords in them (note that this is a very unsecure choice):
We could add the same information in the hosts file, but the hosts file cannot be encrypted with Vault.
We can test again pinging all hosts (as you can see the --ask-pass option is not needed anymore):
Vault is extremely simple, we just need to encrypt the host_vars files with the following command:
Now we can ping our hosts again, passing the option –ask-vault-pass to be prompted interactively for the password:
In the host_vars file we added only the connection’s credentials, but we can add any other string we may want to use later in the remote machine. For example:
As you can see, we added a new custom variable (on only one of the two hosts) which can be used to connect to another secure system, or to set the new password for the user.
If we execute the following command:
On the host 192.168.0.8 the command is failing, because the variable is undefined, while on the second host we have access to the encrypted variable.
Hopefully this has given you an overview of one of the stand-out features of Ansible, and that these simple examples have demonstrated how simple it is to encrypt your information with Ansible Vault!