Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 25. Using Ansible to manage IdM user vaults: storing and retrieving secrets

This chapter describes how to manage user vaults in Identity Management (IdM) using the Ansible vault module. Specifically, it describes how an IdM user can use Ansible playbooks to perform the following three actions:

The user can do the storing and the retrieving from two different IdM clients.

25.1. Prerequisites
Link kopieren

Follow this procedure to use an Ansible playbook to create a vault container with one or more private vaults to securely store sensitive information. In the example used in the procedure below, the idm_user user creates a vault of the standard type named my_vault. The standard vault type ensures that idm_user will not be required to authenticate when accessing the file. idm_user will be able to retrieve the file from any IdM client to which the user is logged in.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.15 or later.
    • You have installed the freeipa.ansible_freeipa collection.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
  • The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • You know the password of idm_user.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the ensure-standard-vault-is-present.yml Ansible playbook file from the relevant collections directory. For example: 

    $ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/ensure-standard-vault-is-present.yml ensure-standard-vault-is-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the ensure-standard-vault-is-present-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the freeipa.ansible_freeipa.ipavault task section:

    • Set the ipaadmin_principal variable to idm_user.
    • Set the ipaadmin_password variable to the password of idm_user.
    • Set the user variable to idm_user.
    • Set the name variable to my_vault.

    • Set the vault_type variable to standard.

      This the modified Ansible playbook file for the current example: 

    ---
- name: Tests
  hosts: ipaserver
  gather_facts: false

  tasks:
  - freeipa.ansible_freeipa.ipavault:
      ipaadmin_principal: idm_user
      ipaadmin_password: idm_user_password
      user: idm_user
      name: my_vault
      vault_type: standard
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the playbook: 

    $ ansible-playbook -v -i inventory ensure-standard-vault-is-present-copy.yml
    Copy to Clipboard Toggle word wrap

25.3. Archiving a secret in a standard user vault in IdM using Ansible
Link kopieren

Follow this procedure to use an Ansible playbook to store sensitive information in a personal vault. In the example used, the idm_user user archives a file with sensitive information named password.txt in a vault named my_vault.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.15 or later.
    • You have installed the freeipa.ansible_freeipa collection.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
  • The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • You know the password of idm_user.
  • idm_user is the owner, or at least a member user of my_vault.
  • You have access to password.txt, the secret that you want to archive in my_vault.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the data-archive-in-symmetric-vault.yml Ansible playbook file from the relevant collections directory. For example: 

    $ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/data-archive-in-symmetric-vault.yml data-archive-in-standard-vault-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the data-archive-in-standard-vault-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the freeipa.ansible_freeipa.ipavault task section:

    • Set the ipaadmin_principal variable to idm_user.
    • Set the ipaadmin_password variable to the password of idm_user.
    • Set the user variable to idm_user.
    • Set the name variable to my_vault.
    • Set the in variable to the full path to the file with sensitive information.

    • Set the action variable to member.

      This the modified Ansible playbook file for the current example: 

    ---
- name: Tests
  hosts: ipaserver
  gather_facts: false

  tasks:
  - freeipa.ansible_freeipa.ipavault:
      ipaadmin_principal: idm_user
      ipaadmin_password: idm_user_password
      user: idm_user
      name: my_vault
      in: /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/password.txt
      action: member
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the playbook: 

    $ ansible-playbook -v -i inventory data-archive-in-standard-vault-copy.yml
    Copy to Clipboard Toggle word wrap

Follow this procedure to use an Ansible playbook to retrieve a secret from the user personal vault. In the example used in the procedure below, the idm_user user retrieves a file with sensitive data from a vault of the standard type named my_vault onto an IdM client named host01. idm_user does not have to authenticate when accessing the file. idm_user can use Ansible to retrieve the file from any IdM client on which Ansible is installed.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.15 or later.
    • You have installed the freeipa.ansible_freeipa collection.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
  • The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • You know the password of idm_user.
  • idm_user is the owner of my_vault.
  • idm_user has stored a secret in my_vault.
  • Ansible can write into the directory on the IdM host into which you want to retrieve the secret.
  • idm_user can read from the directory on the IdM host into which you want to retrieve the secret.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Open your inventory file and mention, in a clearly defined section, the IdM client onto which you want to retrieve the secret. For example, to instruct Ansible to retrieve the secret onto host01.idm.example.com, enter: 

    [ipahost]
host01.idm.example.com
    Copy to Clipboard Toggle word wrap

  3. Make a copy of the retrive-data-symmetric-vault.yml Ansible playbook file from the relevant collections directory. Replace "symmetric" with "standard". For example: 

    $ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/retrive-data-symmetric-vault.yml retrieve-data-standard-vault.yml-copy.yml
    Copy to Clipboard Toggle word wrap
  4. Open the retrieve-data-standard-vault.yml-copy.yml file for editing.
  5. Adapt the file by setting the hosts variable to ipahost.

  6. Adapt the file by setting the following variables in the freeipa.ansible_freeipa.ipavault task section:

    • Set the ipaadmin_principal variable to idm_user.
    • Set the ipaadmin_password variable to the password of idm_user.
    • Set the user variable to idm_user.
    • Set the name variable to my_vault.
    • Set the out variable to the full path of the file into which you want to export the secret.

    • Set the state variable to retrieved.

      This the modified Ansible playbook file for the current example: 

    ---
- name: Tests
  hosts: ipahost
  gather_facts: false

  tasks:
  - freeipa.ansible_freeipa.ipavault:
      ipaadmin_principal: idm_user
      ipaadmin_password: idm_user_password
      user: idm_user
      name: my_vault
      out: /tmp/password_exported.txt
      state: retrieved
    Copy to Clipboard Toggle word wrap
  7. Save the file.

  8. Run the playbook: 

    $ ansible-playbook -v -i inventory retrieve-data-standard-vault.yml-copy.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. SSH to host01 as user01: 

    $ ssh user01@host01.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. View the file specified by the out variable in the Ansible playbook file: 

    $ vim /tmp/password_exported.txt
    Copy to Clipboard Toggle word wrap

You can now see the exported secret.

  • For more information about using Ansible to manage IdM vaults and user secrets and about playbook variables, see the README-vault.md Markdown file available in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/ directory and the sample playbooks available in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/ directory.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat