I’d like to avoid using the static ssh keypair of the ansible user which does automated deployments triggered by a pipeline. Hashi vault came into my mind. But I’ve no idea if this could be used for automated deployments. The issue I see is the initial proof of identity. For a personalized account this could be done when he enters some credentials which could be verified against all kinds of authention backends. (ldap, aws, github,…)
But how could a technical account proof it’s identity without providing an initial truth like a token, ssl cert, any other kind of key / credential ? Is that possible at all?
What I’ve seen so far, is just transferring the secrets into vault, but the key to the vault is visible anyway. Which does not make any sense in my opinion, but just increases complexity.
Any thoughts on that?