Secrets Management
slipp integrates with Ansible Vault for secure secret management. Generate secrets, store them encrypted, and use them in deployments and local development.
Quick Start
Section titled “Quick Start”-
Generate a secret
Terminal window slipp secret# Output: 64 hex chars (256-bit) -
Add to vault
Terminal window slipp secrets add vault_db_password myproject -
Use in templates
group_vars/all.yml database_password: "{{ vault_db_password }}" -
Encrypt vault
Terminal window ansible-vault encrypt inventory/host_vars/myhost/vault.yml
Generating Secrets
Section titled “Generating Secrets”Basic secret
Section titled “Basic secret”slipp secretOutput: 64 hex characters (256-bit entropy)
Options
Section titled “Options”# 16 bytes (128-bit)slipp secret --bytes 16
# 64 bytes (512-bit)slipp secret --bytes 64# Base64 encodedslipp secret --base64
# ULID formatslipp secret --ulid# RSA 2048-bit keypairslipp secret --jwk
# RSA 4096-bit keypairslipp secret --jwk --bits 4096Managing Vaults
Section titled “Managing Vaults”List available vaults
Section titled “List available vaults”slipp secrets listShows all registered projects with vault files:
Available vaults:project vault secretsmyproject inventory/.../vault.yml 5auth-service inventory/.../vault.yml 3List secrets in a vault
Section titled “List secrets in a vault”slipp secrets list myprojectSecrets in inventory/host_vars/myhost/vault.yml: - vault_db_password - vault_api_key - vault_jwt_secretGet template string
Section titled “Get template string”slipp secrets list myproject vault_db_password# Output: {{ vault_db_password }}Adding Secrets
Section titled “Adding Secrets”Add random secret
Section titled “Add random secret”slipp secrets add vault_db_password myprojectGenerates a random secret and adds it to the vault.
Add JWK keypair
Section titled “Add JWK keypair”slipp secrets add vault_signing_key myproject --jwkGenerates an RSA keypair for JWT signing.
Custom entropy
Section titled “Custom entropy”slipp secrets add vault_session_key myproject --bytes 64Syncing Secrets
Section titled “Syncing Secrets”Auto-generate secrets for all {{ vault_* }} references:
slipp secrets sync inventory/host_vars/myhost/vars.yml- Scans the YAML file for
{{ vault_* }}patterns - Lists found references
- Generates random secrets for each
- Creates
vault.ymlin the same directory
Using Secrets
Section titled “Using Secrets”In Ansible templates
Section titled “In Ansible templates”Reference vault secrets in your vars files:
database: password: "{{ vault_db_password }}"
api: secret_key: "{{ vault_api_key }}"In run profiles
Section titled “In run profiles”Load vault secrets as environment variables:
slipp run dev --vault myproject --cmd "npm run dev"Secrets are transformed and injected:
vault_db_passwordbecomesDB_PASSWORDvault_api_keybecomesAPI_KEY
Multiple vaults
Section titled “Multiple vaults”Combine secrets from multiple projects:
slipp run dev --vault myproject --vault shared-secretsVault Workflow
Section titled “Vault Workflow”Initial setup
Section titled “Initial setup”-
Create vars file with references
inventory/host_vars/myhost/vars.yml matrix_sliding_sync_shared_secret: "{{ vault_sliding_sync_secret }}"matrix_postgres_connection_password: "{{ vault_postgres_password }}" -
Generate secrets
Terminal window slipp secrets sync inventory/host_vars/myhost/vars.yml -
Encrypt vault
Terminal window ansible-vault encrypt inventory/host_vars/myhost/vault.yml -
Deploy
Terminal window slipp deploy# Prompts for vault password
Adding new secrets
Section titled “Adding new secrets”-
Add to vault
Terminal window slipp secrets add vault_new_secret myproject -
Reference in vars
new_service_key: "{{ vault_new_secret }}" -
Redeploy
Terminal window slipp deploy