ansible-secrets_skill

This skill securely retrieves Infisical secrets in Ansible, enforces no_log, and supports fallbacks for safe, reusable secret handling.
  • Python

13

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill basher83/lunar-claude --skill ansible-secrets

  • SKILL.md8.6 KB

Overview

This skill helps Ansible users retrieve and manage secrets securely using an Infisical integration and safe playbook patterns. It provides a reusable lookup task to fetch secrets, optional environment fallbacks, and guidance for keeping sensitive data out of logs and code. Use it to centralize secret access and enforce retrieval, validation, and limited scope for credentials in playbooks.

How this skill works

The skill exposes a reusable Ansible task that queries Infisical for a named secret and registers it under a provided variable name. It attempts Universal Auth via INFISICAL_UNIVERSAL_AUTH_CLIENT_ID/SECRET and can fall back to an environment variable if configured. The task supports project, environment, and path parameters and can enforce non-empty values or allow optional secrets. Tasks that consume secrets should use no_log to avoid exposing values.

When to use it

  • Retrieving credentials for services (databases, APIs, Redis) within playbooks
  • When you want a single reusable pattern for Infisical secret lookups
  • CI/CD pipelines where secrets are provisioned via environment variables or service auth
  • Local development with an environment fallback for quick iteration
  • Enforcing validation or complexity checks before using secrets in automation

Best practices

  • Always set no_log: true on tasks that handle or pass secrets to modules or templates
  • Prefer Infisical Universal Auth in CI and production; use fallback_env_var only for local/dev scenarios
  • Retrieve secrets only when needed to limit exposure and scope
  • Validate critical secrets (length, format) immediately after retrieval and fail fast on issues
  • Avoid hard-coding secrets in playbooks, templates, or inventory files

Example use cases

  • Fetch DB_PASSWORD from Infisical and assert minimum complexity before templating DB config with no_log
  • Retrieve API_KEY and set it into an application config file, ensuring file mode 0600 and no_log on the template task
  • Use fallback_env_var for local developer overrides while CI uses Universal Auth environment variables
  • Fetch multiple secrets (DB, API, Redis) using repeated include_tasks calls and then deploy a config with limited scope

FAQ

It prefers Infisical Universal Auth via INFISICAL_UNIVERSAL_AUTH_CLIENT_ID and INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET, with optional environment variable fallback if configured.

How do I avoid exposing secrets in logs?

Mark any tasks that handle or consume secrets with no_log: true and restrict templates or commands that write secrets to files with strict permissions.

What if a secret is empty or missing?

You can set allow_empty: true for optional values, or provide fallback_env_var. For required secrets, include assertions to fail early with no_log enabled.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
ansible-secrets skill by basher83/lunar-claude | VeilStrat