Populate Ansible from AWS Secrets Manager

Shane Dowling
Sep 3, 2020 · 2 min read

One of the ways to improve your security and avoid passing around env files is to follow the twelve factor app and start populating your secrets from the environment. Another improvement is to pull those secrets from a known secret store, with features like rotation, auditing etc.

Requirements

  • Ansible
  • Have some secrets stored in AWS Secrets Manager
  • Ansible should have access to the latest aws-cli command(secrets manager is a recent addition)
  • Jq if you’re storing json in your secrets

It’s worth testing your AWS calls to just extract the secret you’re interested in to stdout, from the terminal tests some calls like:

aws secretsmanager get-secret-value --secret-id some/secret/name --query SecretString --output text

Or for json you might do something like:

aws secretsmanager get-secret-value --secret-id secrets| jq --raw-output '.SecretString' | jq -r .API_KEY

Ansible Config

Once you have secrets manager outputting your secrets to stdout, you can utilise it in Ansible. In this example I’m outputting to an env file but this could but used anywhere in Ansible. Instead of outputting to a file you could set its own environment variables then spin up the project from Ansible without outputting to a file anywhere.

- name: Setting env with some secret
args:
executable: /bin/bash
shell: |
aws secretsmanager get-secret-value --secret-id some/secret/name --query SecretString --output text
register: some_secret
- name: pass response of ssm to .env file
become: no
blockinfile:
dest: '{{ some_environment_path }}/.env'
state: present
create: yes
marker: "# {mark} MY SECRET FROM AWS #"
block: |
SOME_SECRET='{{ some_secret.stdout }}'

And that’s it! Anything I could’ve done better(which I’m sure there is), do let me know!

Tech Blog

Random smattering of technical posts