Using secrets
Last updated
Last updated
When your deploy repository is on GitHub or any other third party storage, you should properly encrypt your secrets. Fora doesn't provide any proprietary methods to do this, as there are plenty of libraries that solve this problem already.
As host and group modules are regular python modules, loading secrets with an external library is quite easy. While there are different ways to achieve the same things, I recommend decrypting the secret storage in your inventory. This is beneficial because groups might be executed multiple times (once for each host that uses it), and this way you only have to decrypt once.
Generally, you can provide a global dictionary containing the secret values when the inventory is loaded. This allows those secrets to be accessed anywhere in your deploy.
age
or gpg
A great option is to store secrets in an encrypted toml
file. While age doesn't support Yubikeys out-of-the-box, using gpg
may also be a good option. Using cryptography
's fernet protocol might also be a viable option.