We currently store a load of secrets in our azure keyvault for platform deployment. We deploy using Ansible, but it doesn't seem to have a read ability for keyvault (you can create, but not read!?). Our architect/product owner is forcing us to use this for storage, opposed to local vaults.
Our current solution is to have use azure CLI to login, then iterating through the list of secrets we want, one by one, and mapping to facts, then loggin out of the CLI. The problem with this is its single action, and seems to be rather slow.
name: Capture KeyVault secret and register variable
local_action: "command az keyvault secret show --name {{ playsecret }} --vault-name {{ az_keyvault_name }}"
register: secretValue
So there is two problems with this, a solution that negates both would be ideal, but a solution to either would be great.
Problems:
- Azure cli login means we cant run things asynchronously. If both are reading secrets, the first to logout, logs the other out. (As we run this from an orchestration server. Its possible to negate this with more orch box's,but cost etc)
- Secret reading is single action, which seems to make it very slow (I suspect this is more on azure end than an ansible issue)
