- Home
- Skills
- Basher83
- Lunar Claude
- Ansible Secrets
ansible-secrets_skill
- Python
13
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill basher83/lunar-claude --skill ansible-secrets- SKILL.md8.6 KB
Overview
This skill helps Ansible users retrieve and manage secrets securely using an Infisical integration and safe playbook patterns. It provides a reusable lookup task to fetch secrets, optional environment fallbacks, and guidance for keeping sensitive data out of logs and code. Use it to centralize secret access and enforce retrieval, validation, and limited scope for credentials in playbooks.
How this skill works
The skill exposes a reusable Ansible task that queries Infisical for a named secret and registers it under a provided variable name. It attempts Universal Auth via INFISICAL_UNIVERSAL_AUTH_CLIENT_ID/SECRET and can fall back to an environment variable if configured. The task supports project, environment, and path parameters and can enforce non-empty values or allow optional secrets. Tasks that consume secrets should use no_log to avoid exposing values.
When to use it
- Retrieving credentials for services (databases, APIs, Redis) within playbooks
- When you want a single reusable pattern for Infisical secret lookups
- CI/CD pipelines where secrets are provisioned via environment variables or service auth
- Local development with an environment fallback for quick iteration
- Enforcing validation or complexity checks before using secrets in automation
Best practices
- Always set no_log: true on tasks that handle or pass secrets to modules or templates
- Prefer Infisical Universal Auth in CI and production; use fallback_env_var only for local/dev scenarios
- Retrieve secrets only when needed to limit exposure and scope
- Validate critical secrets (length, format) immediately after retrieval and fail fast on issues
- Avoid hard-coding secrets in playbooks, templates, or inventory files
Example use cases
- Fetch DB_PASSWORD from Infisical and assert minimum complexity before templating DB config with no_log
- Retrieve API_KEY and set it into an application config file, ensuring file mode 0600 and no_log on the template task
- Use fallback_env_var for local developer overrides while CI uses Universal Auth environment variables
- Fetch multiple secrets (DB, API, Redis) using repeated include_tasks calls and then deploy a config with limited scope
FAQ
It prefers Infisical Universal Auth via INFISICAL_UNIVERSAL_AUTH_CLIENT_ID and INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET, with optional environment variable fallback if configured.
How do I avoid exposing secrets in logs?
Mark any tasks that handle or consume secrets with no_log: true and restrict templates or commands that write secrets to files with strict permissions.
What if a secret is empty or missing?
You can set allow_empty: true for optional values, or provide fallback_env_var. For required secrets, include assertions to fail early with no_log enabled.