Had a need to manage secrets and access them in a number of different applications (edge, portal, backend) and contexts (development, deployment).
One solution:
- put your secrets in a repo named
secrets
and encrypt with Ansible Vault - add the
secrets
repo as a submodule to all the repos that need access to credentials.
This keeps unencrypted credentials out of your Git repos and allows you to have one place and one mechanism to store and retrieve secrets. Submodules work well as they can easily extend an existing Git repo.