Hacker News new | ask | show | jobs
by indigodaddy 650 days ago
Is the ansible vault password in the repo too?

Also, anytime I put an ansible vault secret into Bitbucket, I get a yelly email back from BB about “detected secreted in repo!”

So general question, is this within security standards or is it very bad and should be using off-the-repo secret infra like Hashicorp vault etc? Downside there is have to manually update the secrets on Hashi vault side (eg they are not in code/repo) and you still have to have some visibility to the hashi key in any case in your CI/CD/code/ansible in any case right?
2 comments
zelphirkalt 650 days ago
Commiting the passwords for decrypting Ansible vaults would render the encryption useless and you should consider all secrets already in the vault when committing and pushing the vault password compromised. Makes for a couple of fun days, if it happens.
link
indigodaddy 650 days ago
Right that’s why I asked OP.
link
dusanh 649 days ago
> Is the ansible vault password in the repo too?

No no, this is one of those secrets we share among the team and save to KeePass or whatever.

link