How to manage secrets with ansible playbooks

To manage secrets securely in Ansible playbooks, you can follow some best practices. Here’s a general approach to handle secrets:

1. Use Ansible Vault: Ansible Vault is a built-in feature that allows you to encrypt sensitive data within your playbooks. It provides a way to store secrets in an encrypted file and decrypt them during playbook execution. To create an encrypted file, use the ansible-vault command-line tool.

   To create a new encrypted file:

   ansible-vault create secrets.yml
   

   To edit an existing encrypted file:

   ansible-vault edit secrets.yml
   

2. Store secrets in separate files: It’s recommended to store secrets in separate files rather than directly within your playbooks. You can create a dedicated file, such as secrets.yml, and encrypt it using Ansible Vault.

   Example secrets.yml file:

   database_password: mysecretpassword
   api_key: myapikey
   

3. Reference secrets in playbooks: In your playbooks, you can reference the secrets by using the ansible-vault command-line options. For example:

   - name: Retrieve secrets
     include_vars: secrets.yml
     vars_files:
       - vaulted_secrets.yml
   

   The vars_files directive includes the encrypted vaulted_secrets.yml file, which will be decrypted automatically during playbook execution.

4. Separate inventory and variables: Avoid storing secrets directly in the inventory file or variable files. Instead, use the include_vars directive to load secrets from the encrypted file as mentioned in the previous step.

   Example playbook:

   - name: Example Playbook
     hosts: all
     become: true
   
     tasks:
       - name: Retrieve secrets
         include_vars: secrets.yml
         vars_files:
           - vaulted_secrets.yml
   
       - name: Use the secrets
         debug:
           msg: "The database password is {{ database_password }}"
   

5. Protect access to secrets: Ensure that access to the encrypted secrets file is restricted to authorized personnel. Share the password or key to decrypt the secrets securely with the team members who need it.

6. Consider external secret management: If you have a more advanced secret management system in place, such as HashiCorp Vault or Azure Key Vault, you can integrate Ansible with those tools using appropriate plugins or modules.

By following these steps, you can manage secrets securely in your Ansible playbooks using Ansible Vault. Remember to always follow security best practices and limit access to sensitive information.