Far Oeuf: Automated Management of Shared Secrets with Ansible


The chicken-and-egg-ness of storing shared-secrets securely is particularly problematic in corporate environments.  Combining Ansible and HashiCorp Vault I will show how to deploy tiered applications with auto-generated credentials, and store the secrets in Vault.  This makes automated rotation of application credentials practical, dropping credential-ttl to hours rather than weeks, months, or never.

In the second half of the talk I will walk through submitting a PR for the Ansible lookup plugin for HashiCorp Vault, adding ldap authentication functionality.  My motivation was lowering the barrier for DevOps engineers to use secure shared-secret storage. My message is that a few lines of code is often all it takes to scratch your particular itch. The ability to extend Ansible is an important skill for your DevOps team.




Doug Bridgens, DevOps Engineer, Far Oeuf