As we come towards the end of this mini series, we talked about how to bootstrap a hashicorp vault for non-prod use, what primitives vault uses for secrets management, and how to talk to vault from python.
Here we will dig into how you can access vault content within an Ansible workflow, ensuring you never more have the pain of managing secrets with ansible-vault, or worse, storing them plain text in a repo somewhere.
It’s remarkably easy to get sucked into hardcoding things that probably should live outside your code.
It is clear to many of us that storing secrets anywhere that isn’t vault (or something like it), is a terrible practice. It is also true that the best laid plans of mice and men aft gan aglais.
In other words, the problem is rarely that we don’t want to do secure coding, its that we lack the time, talent, or awareness to do this right. Don’t dwell on that too much either - its just how the world works.
Pretty much everywhere you go in vault you will find you need a few building blocks to make anything work.
Regardless of how you choose to talk to vault (CLI/WebAPI/SDK), you will find that the most common way to “encode” the vault settings is in an Environment variable. This is a nod towards its “cloud native” upbringing, where config files are the devil or something.
Recently I have spent a reasonable amount of time in Hashicorp vault. As part of a mini series on how to make better use of it in Network Automation, I started writing this as a “intro” to a post on the subject.
As per usual with me, it ended up being so long that it had to be its own post. So. Here you are.
Some of you might have opinions about Hashicorp and their licence changes. I do not (either professionally nor personally), compete with Hashicorp, and so it is my understanding I can use their products in an opensource sense. If you feel differently, feel free to use openbao.
A while ago I wrote about my VyOS config for Init7’s Fiber7-X product. Since then there has been a number of breaking changes, and a few additions that I would like to cover.
I will copy/paste a lot of the narrative from that post, and avoid a bit of the abstract conversation that went with it, so that this stands on its own.
If you have questions or comments, hit me up.