Hi. We successfully store secrets in ansible variables files with either ansible-vault or sops. It is a good approach when Ansible itself configures something that requires a secret, such as configuring a database admin password.
But I’d like to ask you about how you store secrets meant to be used by applications. Example: we have a an application in PHP with a config.php file with all credentials needed by the application. Developers have a config.php setup to work with the test environment, while we maintain a different config.php
for production in production machines. Nowadays this config.php
file is stored in ansible repository, encrypted by ansible-vault or sops. We thought about moving the config.php
production file to the application repository, so we could get advantage of the CI/CD pipeline.
It doesn’t smell right, because it would require to encrypt it somehow, and store keys to decrypt it in CI/CD, but I decided to ask you anyway what do you think of that and how you solved it yourselves.
Thanks!
Secrets don’t belong anywhere inside an application code. They’re related to the runtime environnement - 'cause you don’t use the same password for production and integration, right? - and should come from an external configuration source. That might be as simple as environment variables.
Application deployment should never require modification of a file that resides inside the application itself. PHP and other interpreted languages has a tendancy to promote laziness when it comes to proper release management.
And don’t start with “but it makes development complicated”: fix your onboarding and then tooling instead of putting the security of your users and customers at risk.