I am wondering what is the recommended best practice for storing 'ansible_ssh_private_key_file' values as part of an ansible playbook in source control. I had followed this excellent thread Ansible with multiple SSH key pair but the .pem file would be public to any read of the git repo.
I'm currently thinking of two options
- use ansible-vault to encrypt the private key details. This allows me save the private key content securely in git.
- Save the private key details within the Jenkins credential manager. This is a bit more messy since the config is now in two place.
Any advise would be appreciated.
It is not a good practise to put secrets (like private keys, passwords, certs or whatever) in a repository as plain text so you can use ansible-vault built-in feature to encrypt sensitive data. After that you can commit them to a git repository.
To manage the vault decrypt password, you can use a password manager to keep it safe, but never commit it.
You can check ansible team official recommendations here : https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html