How we manage passwords using Ansible

The problem with Ansible Vault is that it has poor support for group work and doesn’t have convenient user, permission and value management options. We always try to keep our infrastructure 100% IaC (Infrastructure as Code), so splitting passwords or adding manual actions wasn’t really an option for us.

We’ve grown fond of Team Password Manager (TPM) over time, but it was its integration functionality that made it the perfect fit for our solution. We were able to integrate TPM to Ansible, solving our group work, permission, and password organization issues. This also took password management off of DevOP’s hands by using encrypted vault files that solve merge requests and search problems in GitLab.

Here are the key changes we made to ensure that our many admins and developers could work securely and conveniently:

• We moved all passwords and sensitive information from Ansible Vault and GitLab Variables to TPM;
• We reworked all application configuration files to the jinja format;

These changes helped us fully separate the server configuration and application development processes. It also made the deployment process fully automated and developer-controlled.

Here are a few examples of how we use the TPM ansible module in group_vars and deployment playbooks.

Group_vars YAML example

Playbook example

How to pull different values for different environments.

Preparing get request config:

The warmup process:

Getting all values from the cache:

Results with variable names with can be used in application configurations and can easily be replaced.

You’ll have to complete the implementation based on your own specific needs and technical capabilities, but these are some of the building blocks that were essential for our implementation (you can find it all on GitHub). Now, all of our admin and dev teams across all of our infrastructure enjoy easy and dependable password management.