You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Openstack API clients commonly use a set of environment variables such as OS_AUTH_TYPE, OS_AUTH_URL, etc.

The set of needed variables can be downloaded from the dashboard as an Openstack RC File (v2.0 or v3). This is basically a shell script that you need to source in the current session:

app-cred-test-openrc.sh
#!/usr/bin/env bash
  
export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https://keystone.cloud.garr.it:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME="garr-ct1"
export OS_INTERFACE=public
export OS_APPLICATION_CREDENTIAL_ID=33ff72a9162341dbb81fd480ddcc23d7
export OS_APPLICATION_CREDENTIAL_SECRET=HACKME


With the environment vars available, tools like OpenStackClient work, and the Openstack Ansible modules.

The problem is how to store these sensitive credentials.

Ansible provides ansible-vault to encrypt information. How can we use this? Ideally we'd only store them once.

An example Ansible playbook might look like this:


---
- hosts: localhost
  vars_files: vault.yml
  environment: "{{ openrc_vars }}"


  tasks:
    - os_keypair:
        state: present
        name: my_key
        public_key_file: .ssh/id_rsa.pub

with the encrypted vault.yml file:

---
openrc_vars:
  OS_AUTH_TYPE: v3applicationcredential
  OS_AUTH_URL: https://keystone.cloud.garrservices.it:5000/v3
  OS_IDENTITY_API_VERSION: 3
  OS_REGION_NAME: garr-pa1
  OS_INTERFACE: public
  OS_APPLICATION_CREDENTIAL_ID: 33ff72a9162341dbb81fd480ddcc23d7
  OS_APPLICATION_CREDENTIAL_SECRET: HACKME




These encrypted variables can conveniently be reused for command line usage, by defining an alias in your BASH configuration file (.bashrc or .bash_profile). It requires the jq binary:


# Alias to populate Openstack environment variables from ansible vault encrypted file
alias openstack-auth-garr='$(ANSIBLE_LOAD_CALLBACK_PLUGINS=TRUE ANSIBLE_STDOUT_CALLBACK=json ansible all -m debug -i localhost, --extra-vars "@vault.yml" -a "msg=\"{% for k,v in openrc_vars.items() %}export {{ k }}={{ v }}\n{% endfor %}\"" | jq -r '\''.["plays"][0]["tasks"][0]["hosts"]["localhost"]["msg"]'\'')'





  • No labels