secrets management

Context

Almost everything in an infrastructure needs to know one or more secrets (passwords, some kind of private keys, access tokens, confidential data, etc.):

A simple use-case: a Wordpress website needs to connect to a database to find its content.
A more complex use-case: a shared secret between the nodes of a cluster to encrypt communications.

When you need to deploy multiple instances of such services:

The question is: how to manage the secrets ? and have at least some basic features like:

Ansible Vault ?

Ansible ships with Ansible Vault.

The Good

It is very useful as:

The Bad

But maintaining one or multiple secrets files can become very tricky as:

And of course, all your secrets are pushed to a repository: they are encrypted but it’s probably not a good idea.

The Ugly

The classical use-case :

You will end up with a merge conflict because git can’t know how to handle the encrypted file.
It’s not a big deal: you can decrypt, merge, rencrypt and push a new merge-request. But you’ll lose a bit of time and sometime you could even lose some secrets (typo during the merge) and this is bad.

To limit this kind of problem, you can find different strategies for your file structures: but, in my experience, you will always have problems.

Consul + Vault from Hashicorp!

A solution is to store your secrets in a secrets manager running inside your infrastructure.

The main advantages are:

Vault from Hashicorp handle this and adds:

An demo of a working infrastructure: the big infra