1.8 KiB
1.8 KiB
Runbook — Rotating vault secrets
Rotating a single secret value
-
Decrypt the relevant vault file:
make decrypt FILE=inventories/production/group_vars/all/vault.yml -
Edit the file and update the secret value.
-
Re-encrypt:
make encrypt FILE=inventories/production/group_vars/all/vault.yml -
Commit the updated vault file:
git add inventories/production/group_vars/all/vault.yml git commit -m "Rotate <secret name>" -
Deploy to apply the new secret to hosts:
make check PLAYBOOK=site # verify what will change make deploy PLAYBOOK=site
Rotating the vault password
This affects all encrypted files in the repo. Do this only when:
- A person with vault access leaves the project
- The password is suspected to be compromised
Steps:
-
Ensure you have the current vault password in
.vault_pass. -
Re-key all vault files:
find . -name "vault.yml" | xargs ansible-vault rekey \ --vault-password-file .vault_pass \ --new-vault-password-file /path/to/new_password_file -
Replace
.vault_passwith the new password file. -
Distribute the new password to all collaborators via a secure channel.
-
Commit all rekeyed vault files:
git add -A git commit -m "Rekey all vault files"
Adding a new collaborator
- Share the vault password via a secure channel (password manager, etc.)
- The collaborator creates
.vault_passlocally (gitignored) - They can now decrypt/encrypt vault files normally
Removing a collaborator's access
Rotate the vault password as described above. There is no per-user access control in Ansible Vault — access is binary (has the password or not).
If per-user access control becomes necessary, evaluate SOPS + age at that point.