This is an example of using a cert file generated by each users private keys, which can then be used to decrypt a single Ansible Vault secret and allows running an Ansible Repo without a user requiring anything more than a local private key

• 1 - Generate Ansible vault master key and encrypt against each of our desired users certificate, allowing each user to have access to the master key.
• 2 - Insert a Secret using the above Ansible Vault key
• 3 - Print out or make use of the encrypted secret.
• ((NOTE)) - Automatic decryption of the above Ansible Vault master key happens by way of the line vault_password_file=pull_vault_password.sh inside ansible.cfg which calls a script which automatically uses your private key to decrypt vault master key.

The first steps are for each user to generate a public key certificate from their own private keys. Replacing NAMEHERE with your own name such as rick or stuart

openssl req -x509 -new -key ~/.ssh/id_rsa -nodes -subj "/C=GB/ST=*/L=*/O=*/OU=*/CN=NAMEHERE/"

Move into the create_secrets folder

Next this data need to be placed inside of the create_secrets/1_generate_vault_master_password.yml file at the top. This is a simple example playbook which will generate the Ansible Master key and place it into a location. It will ask what you desire the master password to be and then encrypt it against the list of provided certificates.

ansible-playbook 1_generate_vault_master_password.yml

Stay in the create_secrets folder

The final step is to create Ansible Vault secrets against the current master key, http://docs.ansible.com/ansible/2.4/vault.html I have provided an example which takes input and spits out Ansible Vault data. This is based on the above generated master key, it will then place the data into use_secrets/vault_data.yml ready to be printed

ansible-playbook 2_generate_vault_variable.yml

Move into the use_secrets folder and run playbook

ansible-playbook 3_print_vault_secret.yml