Hi all, I have a few questions about the usage of vault within Ansible Tower.
Premise:
When installing a Windows service via Ansible, I need to use specific credentials for running the actual service. For obvious reasons I do not want the plain-text credentials within my source code.
So within the credentials section of Tower, there are several types of credentials but there isn’t a generic value type to reference within playbooks. Nor does there appear to be an option for encrypting entire yml files. From my basic understanding, it appears that tower stores these credentials within it’s own database instead of using encrypted yml files.
Is there a ‘best practice’ solution to get around this problem? I don’t really have a problem with these passwords being plain-text on the Ansible box itself.
Here is the best solution I can think of as of now:
- Create a vars file on the Ansible machine and encrypt it using ansible vault
- Copy the file to my dev machine and upload it to source
- Reference the encrypted yml file from within other playbooks
- Somehow pass the vault password from Tower to Ansible…?
- …?..
Hopefully someone can nudge me in the right direction. Thanks!