Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt LAPS credentials with ansible-vault #100

Closed
no-12 opened this issue Feb 24, 2024 · 4 comments
Closed

Encrypt LAPS credentials with ansible-vault #100

no-12 opened this issue Feb 24, 2024 · 4 comments

Comments

@no-12
Copy link

no-12 commented Feb 24, 2024
edited
Loading

SUMMARY

It would be nice to have an option to encrypt the LAPS credentials fetched by the ldap inventory plugin with ansible-vault.
This would make storing the LAPS credentials in AWX a little bit more secure and won't allow users with read permissions on the inventory to view the credentials.
This would also be useful if you run this plugin without AWX to generate a "static" inventory file.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

microsoft.ad.ldap inventory
@jborean93
Copy link
Collaborator

Hi I'm not sure what the benefits of this would be as the LAPS password changes quite frequently and it's not really designed to be stored offline. I'm not 100% familiar with AWX, are you saying that having it run the dynamic inventory allows it to read the generated inventory?

You can use ansible-inventory to retrieve the the password details which you then can encrypt if you wish but this is something you have to do everytime the LAPS password is changed. For example I have this inventory configuration at microsoft.ad.ldap.yml

plugin: microsoft.ad.ldap

search_base: OU=Servers,DC=domain,DC=test

attributes:
  msLAPS-EncryptedPassword:
    ansible_user: (this.value | from_json).n
    ansible_password: (this.value | from_json).p

I can run the following to retrieve the username and password configured by LAPS:

$ ansible-inventory -i microsoft.ad.ldap.yml --host SERVER2022 --vars
{
    "ansible_host": "SERVER2022.domain.test",
    "ansible_password": "...",
    "ansible_user": "Administrator",
    "microsoft_ad_distinguished_name": "CN=SERVER2022,OU=Servers,DC=domain,DC=test"
}

@no-12
Copy link
Author

no-12 commented Feb 26, 2024
edited
Loading

AWX runs any ansible inventory plugin and converts the resulting JSON to persistent objects in its DB.

So the idea was to run the inventory sync on a fixed schedule.
Or an even more dynamic approach would be to use the Windows event of the LAPS password change to trigger an AWX callback to update the inventory and hence the LAPS password in AWX.

The rotation of the LAPS password is a little bit of a problem but it is manageable.

The problem I want to address with this issue is, that I want to allow the users to read the inventory and the corresponding host vars in AWX, but they should NOT be able to view the LAPS password in clear text.

@jborean93
Copy link
Collaborator

I unfortunately think this might be a question more for AWX or a custom solution to check in your own encrypted values. You can whip up a script with ansible-inventory and jq to extract the values which is then piped to ansible-vault if you wanted to go your own way but if you are wanting something special with AWX that might be a question for them sorry.

@no-12
Copy link
Author

no-12 commented Feb 26, 2024

Yeah, I think you are right. Thank you for your feedback.

@no-12 no-12 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 26, 2024
@no-12 no-12 mentioned this issue Mar 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jborean93 @no-12