summaryrefslogtreecommitdiffstats
path: root/docs/docsite/rst/userguide/credential_plugins.rst
blob: f0888840ef9e2d8f3345fd69fb45318503e2b566 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
.. _ug_credential_plugins:

Secret Management System
=============================

.. index::
   single: credentials
   pair: credential; plugins
   pair: secret management; credential
   
Users and admins upload machine and cloud credentials so that automation can access machines and external services on their behalf. By default, sensitive credential values (such as SSH passwords, SSH private keys, API tokens for cloud services) are stored in the database after being encrypted. With external credentials backed by credential plugins, you can map credential fields (like a password or an SSH Private key) to values stored in a :term:`secret management system` instead of providing them to AWX directly. AWX provides a secret management system that include integrations for:

- Centrify Vault Credential Provider Lookup
- CyberArk Central Credential Provider Lookup (CCP)
- CyberArk Conjur Secrets Manager Lookup
- HashiCorp Vault Key-Value Store (KV)
- HashiCorp Vault SSH Secrets Engine
- Microsoft Azure Key Management System (KMS)
- Thycotic DevOps Secrets Vault
- Thycotic Secret Server

These external secret values will be fetched prior to running a playbook that needs them. For more information on specifying these credentials in the User Interface, see :ref:`ug_credentials`.

Configure and link secret lookups
-----------------------------------

When configuring AWX to pull a secret from a 3rd-party system, it is in essence linking credential fields to external systems. To link a credential field to a value stored in an external system, select the external credential corresponding to that system and provide :term:`metadata` to look up the desired value. The metadata input fields are part of the :term:`external credential type` definition of the :term:`source credential`. 

AWX provides a :term:`credential plugin` interface for developers, integrators, admins, and power-users with the ability to add new external credential types to extend it to support other secret management systems. For more detail, see the `development docs for credential plugins`_.

.. _`development docs for credential plugins`: https://github.com/ansible/awx/blob/devel/docs/credentials/credential_plugins.md


Use the AWX User Interface to configure and use each of the supported 3-party secret management systems. 

1. First, create an external credential for authenticating with the secret management system. At minimum, provide a name for the external credential and select one of the following for the **Credential Type**:

.. contents::
    :local:

2. Navigate to the credential form of the target credential and link one or more input fields to the external credential along with metadata for locating the secret in the external system. In this example, the *Demo Credential* is the target credential.

.. _ag_credential_plugins_link_step:

3. For any of the fields below the **Type Details** area that you want to link to the external credential, click the |key| button of the input field. You are prompted to set the input source to use to retrieve your secret information.

.. |key| image:: ../common/images/key-mgmt-button.png

.. image:: ../common/images/credentials-link-credential-prompt.png 

4. Select the credential you want to link to, and click **Next**. This takes you to the **Metadata** tab of the input source. This example shows the Metadata prompt for HashiVault Secret Lookup. Metadata is specific to the input source you select. See the :ref:`ug_metadata_creds_inputs` table for details.

.. image:: ../common/images/credentials-link-metadata-prompt.png

5. Click **Test** to verify connection to the secret management system. If the lookup is unsuccessful, an error message like this one displays:

.. image:: ../common/images/credentials-link-metadata-test-error.png

6. When done, click **OK**. This closes the prompt window and returns you to the Details screen of your target credential. **Repeat these steps**, starting with :ref:`step 3 above <ag_credential_plugins_link_step>` to complete the remaining input fields for the target credential. By linking the information in this manner, AWX retrieves sensitive information, such as username, password, keys, certificates, and tokens from the 3rd-party management systems and populates that data into the remaining fields of the target credential form.

7. If necessary, supply any information manually for those fields that do not use linking as a way of retrieving sensitive information. Refer to the appropriate :ref:`ug_credentials_cred_types` for more detail about each of the fields.

8. Click **Save** when done.

.. _ug_metadata_creds_inputs:

Metadata for credential input sources
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

**Centrify Vault Credential Provider Lookup**

.. list-table::
   :widths: 25 50
   :header-rows: 1

   * - Metadata
     - Description
   * - Account Name (Required)
     - Name of the system account or domain associated with Centrify Vault.
   * - System Name
     - Specify the name used by the Centrify portal.

**CyberArk Central Credential Provider Lookup**

.. list-table::
   :widths: 25 50
   :header-rows: 1

   * - Metadata
     - Description
   * - Object Query (Required)
     - Lookup query for the object.
   * - Object Query Format
     - Select ``Exact`` for a specific secret name, or ``Regexp`` for a secret that has a dynamically generated name.
   * - Object Property
     - Specifies the name of the property to return (e.g., ``UserName``, ``Address``, etc.) other than the default of ``Content``.
   * - Reason
     - If required per the object's policy, supply a reason for checking out the secret, as CyberArk logs those.

**CyberArk Conjur Secrets Lookup**

.. list-table::
   :widths: 25 50
   :header-rows: 1

   * - Metadata
     - Description
   * - Secret Identifier
     - The identifier for the secret.
   * - Secret Version
     - Specify a version of the secret, if necessary, otherwise, leave it empty to use the latest version.

**HashiVault Secret Lookup**

.. list-table::
   :widths: 25 50
   :header-rows: 1

   * - Metadata
     - Description
   * - Name of Secret Backend
     - Specify the name of the KV backend to use. Leave it blank to use the first path segment of the **Path to Secret** field instead.
   * - Path to Secret (required)
     - Specify the path to where the secret information is stored; for example, ``/path/username``.
   * - Key Name (required)
     - Specify the name of the key to look up the secret information.
   * - Secret Version (V2 Only)
     - Specify a version if necessary, otherwise, leave it empty to use the latest version.

**HashiCorp Signed SSH**

.. list-table::
   :widths: 25 50
   :header-rows: 1

   * - Metadata
     - Description
   * - Unsigned Public Key (required)
     - Specify the public key of the cert you want to get signed. It needs to be present in the authorized keys file of the target host(s).
   * - Path to Secret (required)
     - Specify the path to where the secret information is stored; for example, ``/path/username``.
   * - Role Name (required)
     - A role is a collection of SSH settings and parameters that are stored in Hashi vault. Typically, you can specify a couple of them with different privileges, timeouts, etc. So you could have a role that is allowed to get a cert signed for root, and other less privileged ones, for example.
   * - Valid Principals
     - Specify a user (or users) other than the default, that you are requesting vault to authorize the cert for the stored key. Hashi vault has a default user for whom it signs (e.g., ec2-user).

**Azure KMS**

.. list-table::
   :widths: 25 50
   :header-rows: 1

   * - Metadata
     - Description
   * - Secret Name (required)
     - The actual name of the secret as it is referenced in Azure's Key vault app.
   * - Secret Version
     - Specify a version of the secret, if necessary, otherwise, leave it empty to use the latest version.

**Thycotic DevOps Secrets Vault**

.. list-table::
   :widths: 25 50
   :header-rows: 1

   * - Metadata
     - Description
   * - Secret Path (required)
     - Specify the path to where the secret information is stored (e.g., /path/username).

**Thycotic Secret Server**

.. list-table::
   :widths: 25 50
   :header-rows: 1

   * - Metadata
     - Description
   * - Secret ID (required)
     - The identifier for the secret.
   * - Secret Field
     - Specify the field to be used from the secret.

.. _ug_credentials_centrify:

Centrify Vault Credential Provider Lookup
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. index::
   pair: credential types; Centrify

You need the Centrify Vault web service running to store secrets in order for this integration to work. When **Centrify Vault Credential Provider Lookup** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:

- **Centrify Tenant URL** (required): provide the URL used for communicating with Centrify's secret management system
- **Centrify API User** (required): provide the username
- **Centrify API Password** (required): provide the password
- **OAuth2 Application ID** : specify the identifier given associated with the OAuth2 client
- **OAuth2 Scope** : specify the scope of the OAuth2 client


Below shows an example of a configured CyberArk AIM credential.

.. image:: ../common/images/credentials-create-centrify-vault-credential.png 


.. _ug_credentials_cyberarkccp:

CyberArk Central Credential Provider (CCP) Lookup
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. index::
   single: CyberArk CCP
   pair: credential; CyberArk CCP

You need the CyberArk Central Credential Provider web service running to store secrets in order for this integration to work. When **CyberArk Central Credential Provider Lookup** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:

- **CyberArk CCP URL** (required): provide the URL used for communicating with CyberArk CCP's secret management system; must include URL scheme (http, https, etc.)
- **Web Service ID**: optionally specify the identifier for the web service; leaving it blank defaults to AIMWebService
- **Application ID** (required): specify the identifier given by CyberArk CCP services
- **Client Key**: paste the client key if provided by CyberArk
- **Client Certificate**: include the ``BEGIN CERTIFICATE`` and ``END CERTIFICATE`` lines when pasting the certificate, if provided by CyberArk
- **Verify SSL Certificates**: this option is only available when the URL uses HTTPS. Check this option to verify the server’s SSL certificate is valid and trusted. Environments that use internal or private CA's should leave this option unchecked to disable verification.

Below shows an example of a configured CyberArk CCP credential.

.. image:: ../common/images/credentials-create-cyberark-ccp-credential.png 


.. _ug_credentials_cyberarkconjur:

CyberArk Conjur Secrets Manager Lookup
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. index::
   single: CyberArk Conjur
   pair: credential; CyberArk Conjur

With a Conjur Cloud tenant available to target, configure the CyberArk Conjur Secrets Lookup external management system credential plugin as documented.

When **CyberArk Conjur Secrets Manager Lookup** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:

- **Conjur URL** (required): provide the URL used for communicating with CyberArk Conjur's secret management system; must include URL scheme (http, https, etc.)
- **API Key** (required): provide the key given by your Conjur admin
- **Account** (required): the organization's account name
- **Username** (required): the specific authenticated user for this service
- **Public Key Certificate**: include the ``BEGIN CERTIFICATE`` and ``END CERTIFICATE`` lines when pasting the public key, if provided by CyberArk

Below shows an example of a configured CyberArk Conjur credential.

.. image:: ../common/images/credentials-create-cyberark-conjur-credential.png


.. _ug_credentials_hashivault:

HashiCorp Vault Secret Lookup
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. index::
   single: HashiCorp Secret Lookup
   pair: credential; HashiCorp KV

When **HashiCorp Vault Secret Lookup** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:

- **Server URL** (required): provide the URL used for communicating with HashiCorp Vault's secret management system
- **Token**: specify the access token used to authenticate HashiCorp's server
- **CA Certificate**: specify the CA certificate used to verify HashiCorp's server
- **Approle Role_ID**: specify the ID for Approle authentication
- **Approle Secret_ID**: specify the corresponding secret ID for Approle authentication
- **Path to Approle Auth**: specify a path if other than the default path of ``/approle``
- **API Version** (required): select v1 for static lookups and v2 for versioned lookups

For more detail about Approle and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_.  Below shows an example of a configured HashiCorp Vault Secret Lookup credential.

.. image:: ../common/images/credentials-create-hashicorp-kv-credential.png 


.. _ug_credentials_hashivaultssh:

HashiCorp Vault Signed SSH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. index::
   single: HashiCorp SSH Secrets Engine
   pair: credential; HashiCorp SSH Secrets Engine

When **HashiCorp Vault Signed SSH** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:

- **Server URL** (required): provide the URL used for communicating with HashiCorp Signed SSH's secret management system
- **Token**: specify the access token used to authenticate HashiCorp's server
- **CA Certificate**: specify the CA certificate used to verify HashiCorp's server
- **Approle Role_ID**: specify the ID for Approle authentication
- **Approle Secret_ID**: specify the corresponding secret ID for Approle authentication
- **Path to Approle Auth**: specify a path if other than the default path of ``/approle``

For more detail about Approle and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_. 

Below shows an example of a configured HashiCorp SSH Secrets Engine credential.

.. image:: ../common/images/credentials-create-hashicorp-ssh-credential.png 


.. _ug_credentials_azurekeyvault:

Microsoft Azure Key Vault
^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. index::
   single: MS Azure KMS
   pair: credential; MS Azure KMS
   triple: credential; Azure; KMS

When **Microsoft Azure Key Vault** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:

- **Vault URL (DNS Name)** (required): provide the URL used for communicating with MS Azure's key management system
- **Client ID** (required): provide the identifier as obtained by the Azure Active Directory
- **Client Secret** (required): provide the secret as obtained by the Azure Active Directory
- **Tenant ID** (required): provide the unique identifier that is associated with an Azure Active Directory instance within an Azure subscription
- **Cloud Environment**: select the applicable cloud environment to apply

Below shows an example of a configured Microsoft Azure KMS credential.

.. image:: ../common/images/credentials-create-azure-kms-credential.png


.. _ug_credentials_thycoticvault:

Thycotic DevOps Secrets Vault
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. index::
   single: Thycotic DevOps Secrets Vault
   pair: credential; Thycotic DevOps Secrets Vault

When **Thycotic DevOps Secrets Vault** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:

- **Tenant** (required): provide the URL used for communicating with Thycotic's secret management system
- **Top-level Domain (TLD)** : provide the top-level domain designation (e.g., com, edu, org) associated with the secret vault you want to integrate
- **Client ID** (required): provide the identifier as obtained by the Thycotic secret management system
- **Client Secret** (required): provide the secret as obtained by the Thycotic secret management system

Below shows an example of a configured Thycotic DevOps Secrets Vault credential.

.. image:: ../common/images/credentials-create-thycotic-devops-credential.png



.. _ug_credentials_thycoticserver:

Thycotic Secret Server
^^^^^^^^^^^^^^^^^^^^^^^^
.. index::
   single: Thycotic Secret Server
   pair: credential; Thycotic Secret Server

When **Thycotic Secrets Server** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:

- **Secret Server URL** (required): provide the URL used for communicating with the Thycotic Secrets Server management system
- **Username** (required): specify the authenticated user for this service
- **Password** (required): provide the password associated with the user

Below shows an example of a configured Thycotic Secret Server credential.

.. image:: ../common/images/credentials-create-thycotic-server-credential.png