Is using facts for application secrets secure

[Andrew Swerlick]

I have an ansible workflow with two playbooks. One for provisioning servers with all my application dependencies and one for deploying my actual applications inside of docker containers. Currently the deployment playbook relies on a series of vaulted files to set environment variables for the docker container it's being deployed to. These files include secrets like the db password, AWS keys, session keys, etc. This works fairly well, but means that my build server has to have the vault password for every environment it is deploying to, since I have a separate password for each environment.

I'm considering changing the setup so that these secrets are stored as facts on each server by the provisioning playbook using set-fact. That way the deploy playbook doesn't have to know how to decrypt my vaulted files. However, if I do that does it mean anyone who get's read access to the server can read the facts? Or are facts secured in some way so that this is no less secure than what I'm doing now

[Brian Coca]

Facts are not secure, you can set them up in a way that only someone
with a specific group access can read them, but then any play that
needs them will have to execute as someone with these permissions,
which can lead to people reading it directly or just adding a debug:
var=secret to a play to read it.

If you really need to handle credentials securely and still delegate
actions, you need something like tower http://ansible.com/tower.

--
Brian Coca