Storing ansible credentials


#1

Right now the ansible credentials used in production are stored on a single machine shared by all admins. With the introduction of the separation of privileges which allows us to include hosts in the infrastructure even if only some of the administrators have access, such a centralized storage won’t be practical.

I’m not sure which strategy is simpler. After discussing with @pilou I realize using vault would be possible. But it seems overkill because we have a small setup.

@fpoulain do you have a suggestion by any chance?


#2

Why not the ansible vault?


#3

I realize using vault would be possible. But it seems overkill because we have a small setup.

Why not the ansible vault?

An alternative to a vault service (for example HashiCorp Vault, Conjur, custodia) is indeed Ansible Vault. If stored in the Git repository, the vault password must be encrypted using several GPG key.


#4

I also would look have a look at ansible vault.


#5

Ok, ansible vault it is then :closed_lock_with_key:


#6

The private repository containing ansible vault protected files is set and the ansible.enough.community host was updated to use it. The documentation is also updated.