[Spivak]

You all do know that AWS SSM Parameter Store exists, right? It’s literally a KV store explicitly for this purpose. Parameters are scoped by path, versioned, are have optional encryption at rest.

Like you’re using the AWS cli! It’s one call to https://docs.aws.amazon.com/cli/latest/reference/ssm/get-par... away.

It even has built in Ansible support https://docs.ansible.com/ansible/latest/collections/amazon/a... and can values can be rendered in Cloudformation templates natively.

Too hard? Maybe try Chamber https://github.com/segmentio/chamber It has support for multiple backends and can render secrets in lots of different formats.