Hello @gawainsr,
Let’s recap our discussion a bit:
You’ve expressed a preference for maintaining a balance between security and ease of use, aiming to manage personal credentials within a shared environment without making extensive infrastructure changes, as mentioned in your earlier post:
Given this, it seems you’re inclined to proceed with the ansible-vault method, despite considering alternative options previously suggested to you, is that correct?
On the other hand, you’ve also set specific constraints regarding the use of ansible-vault:
Considering these constraints, the safest and most user-friendly way I can think of is to temporarily store your vault password in volatile memory (environment variable), so it doesn’t stick around after logging-out of your session or a reboot. You could set this up to kick in when you log in and wipe it from memory when you log out, maybe using something like a .profile setup and so on (I remember using a similar approach with ansible-navigator, which should also work similarly for ansible-playbook CLI command). Here’s a link to the ansible-navigator docs that might help (notice that it gives details on how to set-up the vault password on an environment variable while preventing storing it on the shell history):
Honestly, I can’t think of a better way to meet your needs just using ansible-vault right now. If anyone else has different ideas or improvements, I’m all ears! 