I have an ansible workflow with two playbooks. One for provisioning servers with all my application dependencies and one for deploying my actual applications inside of docker containers. Currently the deployment playbook relies on a series of vaulted files to set environment variables for the docker container it’s being deployed to. These files include secrets like the db password, AWS keys, session keys, etc. This works fairly well, but means that my build server has to have the vault password for every environment it is deploying to, since I have a separate password for each environment.
I’m considering changing the setup so that these secrets are stored as facts on each server by the provisioning playbook using set-fact. That way the deploy playbook doesn’t have to know how to decrypt my vaulted files. However, if I do that does it mean anyone who get’s read access to the server can read the facts? Or are facts secured in some way so that this is no less secure than what I’m doing now