Project 6: Vault-Backed Secret Delivery

Deliver secrets securely in automation while preventing runtime leakage.

Quick Reference

Attribute	Value
Difficulty	Level 2
Time Estimate	8-12 hours
Main Programming Language	YAML + Vault artifacts
Coolness	Level 2
Business Potential	3. Service & Support
Prerequisites	P02
Key Topics	Vault, no_log, CI secret handling, rotation

1. Learning Objectives

Encrypt and manage environment-specific secret files.
Consume vaulted values in playbooks safely.
Prevent secret exposure in logs/diffs.
Practice basic rekey/rotation workflow.

2. All Theory Needed (Per-Concept Breakdown)

2.1 Secret Lifecycle in Automation

Fundamentals Secrets must be secure at rest, in transit, and in use. Vault handles at-rest encryption, but runtime handling still needs explicit controls.

Deep Dive into the concept Most leaks happen after decryption: debug output, CI logs, shell history, artifact files. A secure design combines Vault with no_log, controlled diff behavior, scoped vault IDs, and audited secret injection paths.

Mental model diagram

encrypted repo -> runtime decrypt -> task consume -> masked logs -> rotate/rekey

Where you’ll apply it P06 directly; reused in P07 and capstone.

3. Project Specification

3.1 What You Will Build

A secret workflow with:

environment-scoped vaulted vars
secure consumption in one DB/user provisioning play
log-safe execution evidence

3.2 Functional Requirements

Secrets file is encrypted in repository.
Playbook runs with vault ID and succeeds.
Sensitive values do not appear in stdout logs.
Rekey procedure documented and tested.

3.4 Example Output

$ ansible-playbook -i inventory.ini db_secure.yml --vault-id prod@prompt
Vault password (prod): ********
TASK [Create database user] ... changed

3.7 Real World Outcome

Repository contains encrypted secret file only.
Runtime uses vaulted values successfully.
Log review shows no plaintext secret exposure.

4. Solution Architecture

vaulted vars + vault-id source -> secure task execution -> masked logs + evidence

5. Implementation Guide

5.3 The Core Question You’re Answering

“How can automation remain fast while keeping secrets out of repos and logs?”

5.4 Concepts You Must Understand First

Vault IDs and scope boundaries.
Runtime output leakage vectors.
Rotation and incident response basics.

5.5 Questions to Guide Your Design

How many vault IDs should exist and why?
Which tasks require hard no_log defaults?

5.6 Thinking Exercise

Map every point where decrypted data could leak and add one control per point.

5.7 Interview Questions

What does Vault not protect by itself?
How do you run Vault safely in CI?
What is your first action after potential secret leak?

5.8 Hints in Layers

Hint 1: Split dev/prod vault IDs.
Hint 2: Use no-log for sensitive tasks.
Hint 3: Verify logs after test runs.
Hint 4: Rehearse rekey workflow quarterly.

6. Testing Strategy

Successful decrypt and converge.
Log inspection for leakage.
Rekey run and rerun validation.

7. Common Pitfalls & Debugging

Pitfall	Symptom	Solution
single global vault password	broad blast radius	split vault IDs
missing no_log	secrets in logs	enforce no_log policy
CI misconfigured vault source	decrypt failures	validate secret injection early

8. Extensions & Challenges

Integrate external secret manager as vault source.
Add policy checks for sensitive task output.
Add automated rotation cadence reminders.

9. Real-World Connections

This mirrors secure delivery requirements in regulated environments where audit evidence and key rotation are mandatory.

10. Resources

Ansible Vault docs
Ansible vault CLI docs
Security lifecycle references

11. Self-Assessment Checklist

Secrets are encrypted at rest.
Runtime outputs are sanitized.
Rotation process is documented and tested.

12. Submission / Completion Criteria

Minimum: encrypted secrets + successful secure run.
Full: no-leak evidence + rekey test.
Excellence: environment-segmented vault policy with audit notes.