Security at InceptionAnsible Orchestration Meets Secrets ManagementJoe Garcia, CISSPDevOps Security Engineer, CyberArk

Share your automation story

1. How did you get started with Ansible?

2. How long have you been using it?

3. What's your favorite thing to do when you Ansible?

WHO IS CYBERARK?

SECRETS MANAGEMENT TODAY

Developer SCM Build PackageRepo

Deploy Test Stage Prod

Jenkins CredentialsArtifactory

Secrets Ansible Tower Credentials

“ISLANDS OF SECURITY”Each ”Island of Security” requires maintenance, management, and auditing

Hiera DatabagsTower Credentials

IAM / KMS IAM / KMS

Secrets SecretsSecrets

IAM / KMS

THE PROBLEM? WE’RE HUMAN

STRESSED BUSY TIME OFF

SECRET MANAGEMENT METHODS

Developer SCM Build PackageRepo

Deploy Test Stage Prod

Centralized Secrets ManagementCentralized AuditingCentralized Dynamic Retrieval

JUST-IN-TIME SECRET RETRIEVAL FROM CYBERARK

CENTRAL CREDENTIALPROVIDER

DYNAMIC ACCESSPROVIDER

• Web Service• Attribute-Based Authn• 100+ Integrations

• Containerized• Token + Attribute-Based Authn• Auto-Scalable with HA

Ansible TowerSecret Management System

AVAILABLE INTEGRATIONS IN TOWER v3.5.1

• CyberArk Application Identity Manager (AIM)• CyberArk Conjur• HashiCorp Vault Key-Value Store (KV)• HashiCorp Vault SSH Secrets Engine• Microsoft Azure Key Management System (KMS)

• CyberArk Application Identity Manager (AIM)• CyberArk Conjur

Create Credential & Link to Secret Lookup

Allows the centralized vault to rotate and manage secrets

Add Machine Credential to Job TemplateOR

Reference Credential Variable in Playbook

CYBERARK APPLICATION ACCESS MANAGER (AAM)

Formerly Application Identity Manager (AIM)

Credential Type: CyberArk AIM Secret Lookup

CYBERARK CONJUR

Credential Type: CyberArk Conjur Secret Lookup

Create Credential & Link with Secret Lookup

Add Machine Credential to Job TemplateOR

Reference Credential Variable in Playbook

Allows the centralized vault to rotate and manage secrets

Onboarding SecretsCreated in Play

ANSIBLE GALAXYPROVISIONING ROLE

$ ansible-galaxy install infamousjoeg.provisioning

Onboards credentials and secrets into CyberArk PAS Core Solution created in play

Allows you to randomize secrets and no_log

INFAMOUSJOEG.PROVISIONINGEXAMPLE

Built-In Lookup PluginsFor Ansible Engine

CYBERARKPASSWORDLOOKUP PLUGIN

Available in Ansible Engine v2.5 or above

Retrieves secrets “Just-in-Time” usingCyberArk Credential Provider

CONJUR_VARIABLELOOKUP PLUGIN

Available in Ansible Engine v2.5 or above

Retrieves secrets “Just-in-Time” fromCyberArk Conjur

Ansible Engine v2.5 or above

No Ansible Tower licensing

CyberArk Credential Providercyberarkpassword

CyberArk Conjurconjur_variable

Ansible Tower below v3.5.1

WHICH INTEGRATION TO USEAND WHEN?

Ansible TowerSecret Management System

Onboarding SecretsCreated in Play

Built-In Lookup Pluginsfor Ansible Engine

Ansible Tower v3.5.1 or above

CyberArk Central Credential ProviderCyberArk AIM Secret Lookup

CyberArk ConjurCyberArk Conjur Secret Lookup

CyberArk PAS Core Solution

Secret creation required mid-play

Secret is deemed privileged & fallsunder compliance regulations

@Joe_Garcia infamousjoeg

https://cyberark.com | https://conjur.org