We’ve recently come across the requirement to secure credentials referenced in Ansible playbooks.
In Ansible Tower, we secure the API key (and subsequent credentials) with CyberArk Conjur Secret Lookup type.
Now, credentials that are only referenced in the playbooks (not in Ansible Tower) exist just in the playbooks. We can authenticate and fetch the password with APIs, however that requires the API key.
Does anyone have any advice/thoughts on how to secure those API keys? We obviously don’t want them in clear text, and we’d like to make sure they are only accessible to the correct teams.