Ansible 塔 - 在 Playbook 中使用 Azure 密钥库机密
[英]Ansible Tower - Using Azure Key Vault Secrets Within Playbooks
问题描述
I am currently trying to utilize the Credential of type Microsoft Azure Key Vault within a playbook.
我目前正在尝试在剧本中使用Microsoft Azure Key Vault类型的凭据。 From some googling I have found some resources on specifying Credential Types and specifying a custom injector, but would prefer to achieve this with the built in credential if possible.通过一些谷歌搜索,我找到了一些关于指定Credential Types和指定自定义注入器的资源,但如果可能的话,我更愿意使用内置凭证来实现这一点。
Currently, I have my key vault credentials properly configured and tested from the UI, and is able to find secrets using the service principal details I have supplied.目前,我已从 UI 正确配置和测试了我的密钥保管库凭据,并且能够使用我提供的服务主体详细信息找到机密。
I wish to use this credential to dynamically access and lookup secrets within my playbooks with some sort of command like {{ my_kv_store }}:secret_name .我希望使用此凭据通过某种命令(例如{{ my_kv_store }}:secret_name在我的剧本中动态访问和查找机密。 Is achieving this sort of functionality possible?实现这种功能是可能的吗?
Thanks in advance.提前致谢。
1 个解决方案
解决方案1
0 2020-06-23 21:09:12
Decided to deviate away from trying to use Azure Key Vault and went with the Credential Type route instead with the Azure cli within the playbook.决定放弃尝试使用Azure Key Vault并使用凭据类型路由,而不是使用 playbook 中的 Azure cli。
Steps I followed:我遵循的步骤:
New Credential Type: Azure Service Principal新凭证类型: Azure 服务主体
# Input Configuration
fields:
- id: vault_url
type: string
label: Vault URL (DNS Name)
- id: client_id
type: string
label: Client ID
- id: client_secret
type: string
label: Client Secret
secret: true
- id: tenant_id
type: string
label: Tenant ID
required:
- vault_url
- client_id
- client_secret
- tenant_id
# Injector Configuration
env:
AZ_CLIENT_ID: '{{ client_id }}'
AZ_CLIENT_SECRET: '{{ client_secret }}'
AZ_TENANT_ID: '{{ tenant_id }}'
AZ_VAULT_URL: '{{ vault_url }}'
Example Credential Configuration示例凭证配置
New Credential: Azure SP Creds新凭证: Azure SP 凭证
- Select Credential Type Select 凭证类型
- Select the previously defined Credential Type (Azure Service Principal) Select 先前定义的凭据类型(Azure 服务主体)
- Provide the necessary input fields提供必要的输入字段
Using Credential with your Job在您的工作中使用凭证
- Within Job Template在作业模板内
- Select Azure SP Creds Select Azure SP 信用
- Select Azure SP Creds
- Within your playbook.yml在你的 playbook.yml 中
---
- name: grab test-secret from azure kv
hosts: localhost
gather_facts: false
connection: local
vars:
kv_secret_name: "test-secret"
tasks:
- name: set facts
set_fact:
az_vault_name: "kv-237-gr-vnet-devops"
az_tenant_id: '{{ lookup("env", "AZ_TENANT_ID") }}'
az_client_id: '{{ lookup("env", "AZ_CLIENT_ID") }}'
az_client_secret: '{{ lookup("env", "AZ_CLIENT_SECRET") }}'
az_vault_url: '{{ lookup("env", "AZ_VAULT_URL") }}'
- name: connect AZ CLI to Azure
shell: |
az login --service-principal -u "{{ az_client_id }}" -p "{{ az_client_secret }}" --tenant "{{ az_tenant_id }}"
args:
executable: /usr/bin/bash
- name: Retrieve secret and register as var
shell: az keyvault secret show --name "{{ kv_secret_name }}" --vault-name "{{ az_vault_name }}" --query value -o tsv
args:
executable: /usr/bin/bash
register: azure_secret
- debug:
msg: "{{ azure_secret.stdout }}"
# - name: Use creds to get KV secret
# azure_rm_keyvaultsecret_info
# debug: msg="the value of this secret is {{lookup('azure_kv',secretname,vault_url=url, client_id=client_id, secret=secret, tenant_id=tenant)}}"
- hosts: all
vars:
kv_secret: "{{ hostvars['localhost']['azure_secret']['stdout'] }}"
tasks:
- name: "Show the secret retrieved from localhost"
shell: echo "{{ kv_secret }}"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.