As we come towards the end of this mini series, we talked about how to bootstrap a hashicorp vault for non-prod use, what primitives vault uses for secrets management, and how to talk to vault from python. Here we will dig into how you can access vault content within an Ansible workflow, ensuring you never more have the pain of managing secrets with ansible-vault, or worse, storing them plain text in a repo somewhere.

It’s remarkably easy to get sucked into hardcoding things that probably should live outside your code. It is clear to many of us that storing secrets anywhere that isn’t vault (or something like it), is a terrible practice. It is also true that the best laid plans of mice and men aft gan aglais. In other words, the problem is rarely that we don’t want to do secure coding, its that we lack the time, talent, or awareness to do this right.

Some Vault Primitives Pretty much everywhere you go in vault you will find you need a few building blocks to make anything work. Env Vars Regardless of how you choose to talk to vault (CLI/WebAPI/SDK), you will find that the most common way to “encode” the vault settings is in an Environment variable. This is a nod towards its “cloud native” upbringing, where config files are the devil or something.

Recently I have spent a reasonable amount of time in Hashicorp vault. As part of a mini series on how to make better use of it in Network Automation, I started writing this as a “intro” to a post on the subject. As per usual with me, it ended up being so long that it had to be its own post. So. Here you are. Some of you might have opinions about Hashicorp and their licence changes.