1

With AWX and Ansible Tower, I know you can use HashiCorp Vault to manage the passwords that you use inside your playbooks. For instance if you want to configure some network devices, the credentials for accessing these devices could reside in the Vault.

Has anybody used AWX/Tower with database passwords stored in HashiCorp Vault? By default, the Postgress passwords is stored in a file in the file system if I am not mistaken.

This article however suggests that the passwords could be stored in the VAult such that Tower/AWX would only get short lived credentials to access the database: https://www.arctiq.ca/our-blog/2019/9/20/configuring-hashicorp-vault-to-generate-dynamic-postgresql-credentials/

Please can you share your experience with this architecture?

Paul Mintoumba
  • 11
  • 1

1 Answers1

0

There is the hashi_vault_lookup plugin, which retrieves secrets from HashiCorp’s vault.

It can be used like this in your playbook:

    - name: 'Fetch secrets using "hashi_vault" lookup'
      set_fact:
        secret: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200') }}"
Henrik Pingel
  • 8,676
  • 2
  • 24
  • 38