Managing Secrets

Unfurl allows you to store secrets separately from the rest for your configuration, either in separate configuration file or in a secrets manager such as HashiCorp Vault. In the project configuration file you specify how those secrets should be managed. You can apply the following strategies:

  • Store the secrets in a local configuration file and distribute that file out-of-band if necessary.

  • Encrypt the secrets file using Ansible Vault so they can be safely checked into its git repository.

  • Store them in a secrets manager such as HashiCorp Vault or Amazon Secrets Manager or your OS’s keyring. You can use any secrets manager that has an Ansible Lookup Plugin available for it.

  • If your git repository is private and the secrets not highly sensitive you can just commit it into the repository in plain text.

You can apply any of these techniques to different secrets and projects can inherit the secrets configuration from unfurl_home.

secrets:

    # Include secrets from a file that will be automatically encrypted when committed to the repository:
    +?include: secrets/secrets.yaml

    # include secrets from a file that will not be committed to the repository:
    +?include: local/secrets.yaml

    # plaintext:
    not_so_secret: admin

    # encrypted inlined:
    the_dev_secret: !vault |
      $ANSIBLE_VAULT;1.2;AES256;dev
      30613233633461343837653833666333643061636561303338373661313838333565653635353162
      3263363434623733343538653462613064333634333464660a663633623939393439316636633863
      61636237636537333938306331383339353265363239643939666639386530626330633337633833
      6664656334373166630a363736393262666465663432613932613036303963343263623137386239
      6330
    # if secret isn't defined above look it up in a HashiCorp Vault instance
    # (assumes VAULT_TOKEN etc. environment variables are set)
    default: "{{ lookup('hashi_vault', 'secret='+key) }}" # "key" will be set to the secret name

Sensitive Values

You can mark configuration data as sensitive in their TOSCA definitions or by using the sensitive expression function. When those values are saved in YAML, if you have Ansible Vault secret associated with your ensemble, their encrypted values will be embedded, if not, they will be saved as “<<<Redacted>>>”. When loading a YAML configuration file, any Vault data will be decrypted and any attribute with a value of “<<<Redacted>>>” will be omitted.

Vault secrets

When creating a new ensemble via a unfurl init or unfurl clone, if a new git repository is created (either because its a new project or because the ensemble uses a separate repository) will add a vault_secrets secret with a generated password to local/unfurl.yaml and secrets/secrets.yaml file added to the repository – see Project files.

You can force this in any new project by passing the``VAULT_PASSWORD`` skeleton variable to unfurl init or unfurl clone. See setting for an example.

Important

Store this master Vault password found in local/unfurl.yaml in a safe place!

Creating secrets

When unfurl commit commits changes to a project, any files in directories named secrets will automatically be encrypted with the project’s vault password and committed into a parallel directory named .secrets. When Unfurl starts it will automatically decrypt those files and restore them to their secrets directory.

To create secrets manually (for example, to use inline as shown in the example above), you can use the unfurl-vault-client script with the ansible-vault command. The unfurl-vault-client script outputs the vault password for the current project so you can encrypt secrets using the ansible-vault utility like this:

ansible-vault encrypt_string --vault-id default@unfurl-vault-client "secret1" "secret2"