Another option for Ansible is Ansible Vault (which is not related to Hashicorp Vault) -- you can use it to password protect secrets used for playbooks (you need to supply the password when you run the playbook).
Yes but Hashicporp Vault has a greater scope in that it addresses the secure introduction problem, provides single usage/read once tokens, tokens with TTLs and limited use, has audit capabilities etc. Although there is some overlap in general secret management between Ansible Vault and Hashicorp Vault, the latter is much broader than just a means of secure storage for config management.
A lot of what Hashicorp Vault does is already provided for (in AWS at least) with KMS, Cloudtrail, Parameter Store, and IAM (which can be used in symphony with Ansible Vault).
I have very little experience with GCP and Azure, but it seems like Hashicorp is reinventing the wheel in AWS with Vault.
> you need to supply the password when you run the playbook
You can also specify vault-password-file in ansible.cfg [1]
It can be a shell script rather than plaintext, so you can use it to call the CLI password manager "pass"[2] for instance. This is handy for automation.
The parent's recommendation was to put a filename into the ansible.cfg, and that file could contain either the password, or a script that is then run which prints the password to stdout. For example, we have the script pull the password from a gpg-encrypted file.
Even if you do put a plaintext password into ansible.cfg, encrypting secrets in the playbook is still worthwhile so you don't commit them to your source code repository or accidentally share the secrets with the world when you publish your playbooks.
We also use Ansible Vaults extensively and they work great.
Oddly enough though, I recently tried AWX (the open sourced Ansible Tower), and it wouldn't decrypt our vaults when trying to get the inventory, even though I gave it vault credentials (there was nowhere to associate it with the inventory run though).
So, we are still using RunDeck for a web UI/scheduling/web triggers/Slack integration of our Ansible runs.
developer of AWX here. We're working on this! unvaulting is available during playbook runs but we definitely need to make it available during inventory syncs also. The features coming up in Ansible 2.4 will enable us to do this.
Are there any pointers on how to work around this?
I think a large part of our problem is that we are using Ganeti for most of our VMs, rather than something supported native by AWX like OpenStack/EC2/Azure. I have an inventory script we have been using, but couldn't get it to run in AWX due to AWS credentials not being made available in a way that boto recognized (the inventory is pulled both from Ganeti and EC2).