SlideShare a Scribd company logo

Secrets management vault cncf meetup

J
Juraj Hantak

This document discusses secrets management with HashiCorp Vault. It provides an overview of Vault's capabilities for securely storing and accessing secrets like passwords, API keys and certificates. The document also outlines Pan-Net's experience using Vault, starting with a basic MVP in 2017 and expanding to include self-service, HA capabilities and Gitlab integration over subsequent years. Some limitations of the open source version are noted around advanced topics like geo-redundancy and hardware security modules.

Internet
1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Do’s and Don’ts | Peter Gasper | 16.6.2021 Secrets Management
Whoami Peter Gasper - security engineer - practicing DevOps at Deutsche Telekom Pan-Net - currently „Access & Encryption“ squad lead Slack: cncfsk - #Peter Gasper e-mail: peter@gasper.cc Blog: https://malgregator.com GitHub: https://github.com/viralpoetry
Agenda - Problems with secrets - HashiCorp Vault - Vault‘s journey in Pan-Net - Vault Open Source limitations - Conclusion
If you are maintaining applications, at some point you have to: - rebuild infrastructure - change password - share credentials - revoke access Sensitive data often used during deployment: - API keys - SSH credentials - passwords Problems with secrets
Secret is anything used for authentication, authorization or encryption: - Webserver (TLS cert, DB credentials, API keys) - FreeRADIUS (shared secret with the VPN HW) - Database (credentials – user/password) Common problems: - Sensitive credentials and keys are stored in code repository (GitLab, GitHub, …) - Sensitive credentials and keys are stored in plain text - Sensitive credentials and keys are shared in numerous places 5 Problems with secrets
Traditional approach – small teams: - PGP - git-crypt - ansible-vault Problems: - secrets are still committed to a version control repository - people leaving organization – access to keys/passwords can‘t be revoked – rotate all the secrets - basically, no lifecycle Problems with secrets
Problems with secrets Solution - infrastructure “password” manager Basic Requirements: - single source of truth - provides API interface - encryption - detailed auditing - ability to revoke access - multiple authentication methods - highly available 7 Existing solutions - Keywhiz by Square - Confidant by Lyft - Conjur by CyberArk - Vault by HashiCorp
We chose Hashicorp Vault - Golang binary - highly available key/value store - encryption – Shamir secret sharing scheme - easy prototyping (vault server -dev) Vault by HashiCorp
Vault by HashiCorp Storage backends – Raft, Consul, Etcd, FoundationDB Secrets Engines - Static - k/v store for any blob of data – passwords, API tokens etc. - Dynamic - Database credentials, SSH access, AWS, Google Cloud, etc. - Encryption - PKI certificate authority, Transit backend Auth Methods - machine oriented (TLS, JWT, Tokens) - user oriented (user/pass, LDAP, GitHub, OKTA, Kubernetes, Radius, ...) 9 VAULT IS FOR SECRETS
Vault by HashiCorp 10 Every succesful authentication backend results in a token. Every token has access rights based on defined policy. Secrets are accessed using tokens.
Vault by HashiCorp 11 Token: - has expiration (TTL) - can be renewed
Vault by HashiCorp - CLI usage 12
Vault by HashiCorp - Ansible roles You define Vault address, mount point, path & name of a secret, e.g. radius_vpn_secret. Roles can generate the passwords if it does not exist 13 - hosts: radius-vpn gather_facts: no become: yes vars: - vault_mount: ”secret” - vault_path: ”my_project” - vars_stored: - { var: ’ldap_bind_password’ , key: ‘password’ , password: yes } - { var: ’radius_vpn_secret’ , key: ‘password’ , password: yes , length: 12 } roles: - ansible-load-secrets - ansible-save-secrets - ansible-freeradius
2017 – MVP, basic workflow - Vault v0.6.5, single instance with filesystem backend, deployed with Ansible - Operation: exchange GPG keys, create policy, issue & deliver tokens - ansible-load-secrets, ansible-save-secrets roles Vault‘s journey in Pan-Net
2018 – resiliency, more automation - whole provisioning & deployment as a code - access policies provisioned from Gitlab repo - rolling updates & HA setup with Consul Vault‘s journey in Pan-Net
2019 – Self-Service Due to operation hell, we started designing self-service for the most common use case. You ask for a “safe“, then you can issue tokens for path and subpaths by yourself. Modus operandi: - logged-in person is mapped to an identity - “Safe“ is Vault identity group - group has policies - groups are added/removed to identities Vault‘s journey in Pan-Net
2021 – way more clusters - migrating to Raft integrated storage - Gitlab integration using JWT in the pipeline - multiple new clusters deployed using Helm charts Vault‘s journey in Pan-Net
Limitations of the open-source version when doing advanced topics: - georedundancy - shamir secret unsealing for the first Vault - no PKCS #11 support for unsealing nor PKI - audit backend settings are not propagated in HA Vault Open Source limitations
Conclusion If I would start again: - secrets management reflects organizational structure, start with authn/authz lifecycle - use dynamic secrets engines for new infra - use policy templates, identity groups, automate role provisioning - write less Ansible for a setup phase, used libraries like Python HVAC instead
THANKS FOR LISTENING.
Pictures used https://learn.hashicorp.com/img/vault-auth-basic-2.png https://learn.hashicorp.com/img/vault-autounseal-12.png https://easydrawingguides.com/wp-content/uploads/2020/12/Spilt-Milk-Step-10.png

More Related Content

PDF
23 meetup rancher
Juraj Hantak
 
PDF
16. Cncf meetup-docker
Juraj Hantak
 
PDF
Implementing Progressive Delivery with Your Team (by Leigh Capili)
Weaveworks
 
PDF
Cloud Native User Group: Prometheus Day 2
smalltown
 
PDF
How to manage Kubernetes at scale with just git
Weaveworks
 
PDF
Promise of DevOps
Juraj Hantak
 
PDF
WKSctl: Gitops Management of Kubernetes Clusters
Weaveworks
 
PPTX
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Codemotion
 
23 meetup rancher
Juraj Hantak
 
16. Cncf meetup-docker
Juraj Hantak
 
Implementing Progressive Delivery with Your Team (by Leigh Capili)
Weaveworks
 
Cloud Native User Group: Prometheus Day 2
smalltown
 
How to manage Kubernetes at scale with just git
Weaveworks
 
Promise of DevOps
Juraj Hantak
 
WKSctl: Gitops Management of Kubernetes Clusters
Weaveworks
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Codemotion
 

What's hot (20)

PDF
利用K8S實現高可靠應用
inwin stack
 
PDF
Kubernetes Monitoring & Best Practices
Ajeet Singh Raina
 
PDF
Moby and Kubernetes entitlements
Docker, Inc.
 
PDF
DockerCon EU 2015: Deploying and Managing Containers for Developers
Docker, Inc.
 
PDF
Intro to creating kubernetes operators
Juraj Hantak
 
PDF
Kubernetes day 2_jozef_halgas_pf
Juraj Hantak
 
PDF
Criteo meetup - S.R.E Tech Talk
Pierre Mavro
 
PDF
KubeCon EU 2016: Heroku to Kubernetes
KubeAcademy
 
PPTX
Kubernetes security
Saiyam Pathak
 
PPTX
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
inwin stack
 
PPTX
KubeCon EU 2016: Multi-Tenant Kubernetes
KubeAcademy
 
PDF
KubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeAcademy
 
PDF
Multi-cloud Kubernetes BCDR with Velero
Kublr
 
ODP
Openshift presentation
Armağan Ersöz
 
PDF
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
CodeOps Technologies LLP
 
PDF
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
smalltown
 
PPTX
Kubernetes and OpenStack at Scale
Stephen Gordon
 
PDF
CDK Meetup: Rule the World through IaC
smalltown
 
PDF
Implementing an Automated Staging Environment
Daniel Oliveira Filho
 
PDF
A GitOps model for High Availability and Disaster Recovery on EKS
Weaveworks
 
利用K8S實現高可靠應用
inwin stack
 
Kubernetes Monitoring & Best Practices
Ajeet Singh Raina
 
Moby and Kubernetes entitlements
Docker, Inc.
 
DockerCon EU 2015: Deploying and Managing Containers for Developers
Docker, Inc.
 
Intro to creating kubernetes operators
Juraj Hantak
 
Kubernetes day 2_jozef_halgas_pf
Juraj Hantak
 
Criteo meetup - S.R.E Tech Talk
Pierre Mavro
 
KubeCon EU 2016: Heroku to Kubernetes
KubeAcademy
 
Kubernetes security
Saiyam Pathak
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
inwin stack
 
KubeCon EU 2016: Multi-Tenant Kubernetes
KubeAcademy
 
KubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeAcademy
 
Multi-cloud Kubernetes BCDR with Velero
Kublr
 
Openshift presentation
Armağan Ersöz
 
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
CodeOps Technologies LLP
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
smalltown
 
Kubernetes and OpenStack at Scale
Stephen Gordon
 
CDK Meetup: Rule the World through IaC
smalltown
 
Implementing an Automated Staging Environment
Daniel Oliveira Filho
 
A GitOps model for High Availability and Disaster Recovery on EKS
Weaveworks
 
Ad

Similar to Secrets management vault cncf meetup (20)

ODP
Continuous Security
Sysdig
 
PDF
Kubecon 2019_eu-k8s-secrets-csi
Rita Zhang
 
PDF
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Yahoo!デベロッパーネットワーク
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
PPTX
Managing your secrets in a cloud environment
Taswar Bhatti
 
PDF
Kubernetes security
Thomas Fricke
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
PPTX
Securing Hadoop - MapR Technologies
MapR Technologies
 
PDF
JDO 2019: What you should be aware of before setting up kubernetes on premise...
PROIDEA
 
PDF
Cloud Data Encryption (Aluhut Edition) - 2019
Matthias Grawinkel
 
PDF
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Ovadiah Myrgorod
 
PDF
Kubernetes Secrets Management on Production with Demo
Opsta
 
PDF
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
PDF
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
PDF
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
PDF
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
PDF
Secret Management with Hashicorp’s Vault
AWS Germany
 
PDF
Kafka Security 101 and Real-World Tips
confluent
 
PDF
BigData Security - A Point of View
Karan Alang
 
PPTX
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Continuous Security
Sysdig
 
Kubecon 2019_eu-k8s-secrets-csi
Rita Zhang
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Yahoo!デベロッパーネットワーク
 
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Managing your secrets in a cloud environment
Taswar Bhatti
 
Kubernetes security
Thomas Fricke
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Securing Hadoop - MapR Technologies
MapR Technologies
 
JDO 2019: What you should be aware of before setting up kubernetes on premise...
PROIDEA
 
Cloud Data Encryption (Aluhut Edition) - 2019
Matthias Grawinkel
 
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Ovadiah Myrgorod
 
Kubernetes Secrets Management on Production with Demo
Opsta
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Secret Management with Hashicorp’s Vault
AWS Germany
 
Kafka Security 101 and Real-World Tips
confluent
 
BigData Security - A Point of View
Karan Alang
 
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Ad

More from Juraj Hantak (20)

PDF
Kubernetes day 2 @ zse energia
Juraj Hantak
 
PDF
Dev ops culture_final
Juraj Hantak
 
PDF
Integracia security do ci cd pipelines
Juraj Hantak
 
PDF
CNCF opa
Juraj Hantak
 
PDF
Introductiontohelmcharts2021
Juraj Hantak
 
PDF
19. stretnutie komunity kubernetes
Juraj Hantak
 
PDF
16. meetup sietovy model v kubernetes
Juraj Hantak
 
PDF
16.meetup uvod
Juraj Hantak
 
PDF
14. meetup
Juraj Hantak
 
PDF
Terraform a gitlab ci
Juraj Hantak
 
PDF
Monitoring with prometheus at scale
Juraj Hantak
 
PDF
Kubernetes monitoring using prometheus stack
Juraj Hantak
 
PDF
12.cncfsk meetup observability and analysis
Juraj Hantak
 
PDF
Grafana 7.0
Juraj Hantak
 
PDF
Nginx app protect-for-meetup-v1.0-202006_lk
Juraj Hantak
 
PDF
10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk
Juraj Hantak
 
PDF
10.cncfsk en-story
Juraj Hantak
 
PDF
Ingress controller present, past and future
Juraj Hantak
 
PDF
Cncf meetup-service-mesh-sk
Juraj Hantak
 
PDF
Kubernetes ingress-pixelfederation
Juraj Hantak
 
Kubernetes day 2 @ zse energia
Juraj Hantak
 
Dev ops culture_final
Juraj Hantak
 
Integracia security do ci cd pipelines
Juraj Hantak
 
CNCF opa
Juraj Hantak
 
Introductiontohelmcharts2021
Juraj Hantak
 
19. stretnutie komunity kubernetes
Juraj Hantak
 
16. meetup sietovy model v kubernetes
Juraj Hantak
 
16.meetup uvod
Juraj Hantak
 
14. meetup
Juraj Hantak
 
Terraform a gitlab ci
Juraj Hantak
 
Monitoring with prometheus at scale
Juraj Hantak
 
Kubernetes monitoring using prometheus stack
Juraj Hantak
 
12.cncfsk meetup observability and analysis
Juraj Hantak
 
Grafana 7.0
Juraj Hantak
 
Nginx app protect-for-meetup-v1.0-202006_lk
Juraj Hantak
 
10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk
Juraj Hantak
 
10.cncfsk en-story
Juraj Hantak
 
Ingress controller present, past and future
Juraj Hantak
 
Cncf meetup-service-mesh-sk
Juraj Hantak
 
Kubernetes ingress-pixelfederation
Juraj Hantak
 

Recently uploaded (20)

PPTX
The Latest Scam Shocking the USA in 2025.pptx
onlinescamreport4
 
PPTX
Generics jehfkhkshfhskjghkshhhhlshluhueheuhuhhlhkhk.pptx
yashpavasiya892
 
PDF
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
PPTX
dns domain name system history work.pptx
MUHAMMADKAVISHSHABAN
 
PPTX
Perkembangan Perangkat jaringan komputer dan telekomunikasi 3.pptx
Prayudha3
 
PDF
LB# 820-1889_051-7370_C000.schematic.pdf
matheusalbuquerqueco3
 
PPTX
办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本
xxxihn4u
 
PDF
Generative AI Foundations: AI Skills for the Future of Work
hemal sharma
 
PPTX
谢尔丹学院毕业证购买|Sheridan文凭不见了怎么办谢尔丹学院成绩单
mookxk3
 
PPTX
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
PPTX
Slides Powerpoint: Eco Economic Epochs.pptx
Steven McGee
 
PPTX
原版北不列颠哥伦比亚大学毕业证文凭UNBC成绩单2025年新版在线制作学位证书
e7nw4o4
 
PPTX
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 
PPTX
Pengenalan perangkat Jaringan komputer pada teknik jaringan komputer dan tele...
Prayudha3
 
PDF
Data Protection & Resilience in Focus.pdf
AmyPoblete3
 
PDF
Slides: PDF Eco Economic Epochs for World Game (s) pdf
Steven McGee
 
PPTX
Google SGE SEO: 5 Critical Changes That Could Wreck Your Rankings in 2025
Reversed Out Creative
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PDF
KIPER4D situs Exclusive Game dari server Star Gaming Asia
hokimamad0
 
PDF
LOGENVIDAD DANNYFGRETRRTTRRRTRRRRRRRRR.pdf
juan456ytpro
 
The Latest Scam Shocking the USA in 2025.pptx
onlinescamreport4
 
Generics jehfkhkshfhskjghkshhhhlshluhueheuhuhhlhkhk.pptx
yashpavasiya892
 
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
dns domain name system history work.pptx
MUHAMMADKAVISHSHABAN
 
Perkembangan Perangkat jaringan komputer dan telekomunikasi 3.pptx
Prayudha3
 
LB# 820-1889_051-7370_C000.schematic.pdf
matheusalbuquerqueco3
 
办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本
xxxihn4u
 
Generative AI Foundations: AI Skills for the Future of Work
hemal sharma
 
谢尔丹学院毕业证购买|Sheridan文凭不见了怎么办谢尔丹学院成绩单
mookxk3
 
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
Slides Powerpoint: Eco Economic Epochs.pptx
Steven McGee
 
原版北不列颠哥伦比亚大学毕业证文凭UNBC成绩单2025年新版在线制作学位证书
e7nw4o4
 
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 
Pengenalan perangkat Jaringan komputer pada teknik jaringan komputer dan tele...
Prayudha3
 
Data Protection & Resilience in Focus.pdf
AmyPoblete3
 
Slides: PDF Eco Economic Epochs for World Game (s) pdf
Steven McGee
 
Google SGE SEO: 5 Critical Changes That Could Wreck Your Rankings in 2025
Reversed Out Creative
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
KIPER4D situs Exclusive Game dari server Star Gaming Asia
hokimamad0
 
LOGENVIDAD DANNYFGRETRRTTRRRTRRRRRRRRR.pdf
juan456ytpro
 

Secrets management vault cncf meetup

  • 1. Do’s and Don’ts | Peter Gasper | 16.6.2021 Secrets Management
  • 2. Whoami Peter Gasper - security engineer - practicing DevOps at Deutsche Telekom Pan-Net - currently „Access & Encryption“ squad lead Slack: cncfsk - #Peter Gasper e-mail: [email protected] Blog: https://malgregator.com GitHub: https://github.com/viralpoetry
  • 3. Agenda - Problems with secrets - HashiCorp Vault - Vault‘s journey in Pan-Net - Vault Open Source limitations - Conclusion
  • 4. If you are maintaining applications, at some point you have to: - rebuild infrastructure - change password - share credentials - revoke access Sensitive data often used during deployment: - API keys - SSH credentials - passwords Problems with secrets
  • 5. Secret is anything used for authentication, authorization or encryption: - Webserver (TLS cert, DB credentials, API keys) - FreeRADIUS (shared secret with the VPN HW) - Database (credentials – user/password) Common problems: - Sensitive credentials and keys are stored in code repository (GitLab, GitHub, …) - Sensitive credentials and keys are stored in plain text - Sensitive credentials and keys are shared in numerous places 5 Problems with secrets
  • 6. Traditional approach – small teams: - PGP - git-crypt - ansible-vault Problems: - secrets are still committed to a version control repository - people leaving organization – access to keys/passwords can‘t be revoked – rotate all the secrets - basically, no lifecycle Problems with secrets
  • 7. Problems with secrets Solution - infrastructure “password” manager Basic Requirements: - single source of truth - provides API interface - encryption - detailed auditing - ability to revoke access - multiple authentication methods - highly available 7 Existing solutions - Keywhiz by Square - Confidant by Lyft - Conjur by CyberArk - Vault by HashiCorp
  • 8. We chose Hashicorp Vault - Golang binary - highly available key/value store - encryption – Shamir secret sharing scheme - easy prototyping (vault server -dev) Vault by HashiCorp
  • 9. Vault by HashiCorp Storage backends – Raft, Consul, Etcd, FoundationDB Secrets Engines - Static - k/v store for any blob of data – passwords, API tokens etc. - Dynamic - Database credentials, SSH access, AWS, Google Cloud, etc. - Encryption - PKI certificate authority, Transit backend Auth Methods - machine oriented (TLS, JWT, Tokens) - user oriented (user/pass, LDAP, GitHub, OKTA, Kubernetes, Radius, ...) 9 VAULT IS FOR SECRETS
  • 10. Vault by HashiCorp 10 Every succesful authentication backend results in a token. Every token has access rights based on defined policy. Secrets are accessed using tokens.
  • 11. Vault by HashiCorp 11 Token: - has expiration (TTL) - can be renewed
  • 12. Vault by HashiCorp - CLI usage 12
  • 13. Vault by HashiCorp - Ansible roles You define Vault address, mount point, path & name of a secret, e.g. radius_vpn_secret. Roles can generate the passwords if it does not exist 13 - hosts: radius-vpn gather_facts: no become: yes vars: - vault_mount: ”secret” - vault_path: ”my_project” - vars_stored: - { var: ’ldap_bind_password’ , key: ‘password’ , password: yes } - { var: ’radius_vpn_secret’ , key: ‘password’ , password: yes , length: 12 } roles: - ansible-load-secrets - ansible-save-secrets - ansible-freeradius
  • 14. 2017 – MVP, basic workflow - Vault v0.6.5, single instance with filesystem backend, deployed with Ansible - Operation: exchange GPG keys, create policy, issue & deliver tokens - ansible-load-secrets, ansible-save-secrets roles Vault‘s journey in Pan-Net
  • 15. 2018 – resiliency, more automation - whole provisioning & deployment as a code - access policies provisioned from Gitlab repo - rolling updates & HA setup with Consul Vault‘s journey in Pan-Net
  • 16. 2019 – Self-Service Due to operation hell, we started designing self-service for the most common use case. You ask for a “safe“, then you can issue tokens for path and subpaths by yourself. Modus operandi: - logged-in person is mapped to an identity - “Safe“ is Vault identity group - group has policies - groups are added/removed to identities Vault‘s journey in Pan-Net
  • 17. 2021 – way more clusters - migrating to Raft integrated storage - Gitlab integration using JWT in the pipeline - multiple new clusters deployed using Helm charts Vault‘s journey in Pan-Net
  • 18. Limitations of the open-source version when doing advanced topics: - georedundancy - shamir secret unsealing for the first Vault - no PKCS #11 support for unsealing nor PKI - audit backend settings are not propagated in HA Vault Open Source limitations
  • 19. Conclusion If I would start again: - secrets management reflects organizational structure, start with authn/authz lifecycle - use dynamic secrets engines for new infra - use policy templates, identity groups, automate role provisioning - write less Ansible for a setup phase, used libraries like Python HVAC instead