I haven't, but as far as I know no part of our DevOps stack can access vault secrets without insecure environment variables, which is the core problem.
Comments
Log in with your Bluesky account to leave a comment
Not sure what you're working with, but most CI platforms are able to issue short lived JWTs to jobs that securely attest what the job is so you can federate access with OIDC. Might be worth looking into if you haven't already. Or it might not be possible as you said without platform support.
Yeah not CI really. This is about a homelab build, spinning up and provisioning VMs with Packer for templating, Terraform for provisioning, and Ansible for config. And in the interest of keeping things in the lab, I'd prefer to avoid entanglements with an external IdP.
I see. Another thing you could look into is Infisical which is a pretty intuitive self hosted secret manager. I just wrote a blog post for them that shows how to set it up and use their CLI for just-in-time ENV injection. Which works if you're manually running commands
Comments
https://infisical.com/blog/self-hosting-infisical-homelab