Securely Storing Personal Credentials for Ansible Without Compromising Convenience

Hello @gawainsr,

Let’s recap our discussion a bit:

You’ve expressed a preference for maintaining a balance between security and ease of use, aiming to manage personal credentials within a shared environment without making extensive infrastructure changes, as mentioned in your earlier post:

Given this, it seems you’re inclined to proceed with the ansible-vault method, despite considering alternative options previously suggested to you, is that correct?

On the other hand, you’ve also set specific constraints regarding the use of ansible-vault:

Considering these constraints, the safest and most user-friendly way I can think of is to temporarily store your vault password in volatile memory (environment variable), so it doesn’t stick around after logging-out of your session or a reboot. You could set this up to kick in when you log in and wipe it from memory when you log out, maybe using something like a .profile setup and so on (I remember using a similar approach with ansible-navigator, which should also work similarly for ansible-playbook CLI command). Here’s a link to the ansible-navigator docs that might help (notice that it gives details on how to set-up the vault password on an environment variable while preventing storing it on the shell history):

https://ansible.readthedocs.io/projects/navigator/faq/#how-can-i-use-a-vault-password-with-ansible-navigator

Honestly, I can’t think of a better way to meet your needs just using ansible-vault right now. If anyone else has different ideas or improvements, I’m all ears! :blush:

1 Like