Secure automated ansible jobs: replace ssh key usage with hashi vault

I’d like to avoid using the static ssh keypair of the ansible user which does automated deployments triggered by a pipeline. Hashi vault came into my mind. But I’ve no idea if this could be used for automated deployments. The issue I see is the initial proof of identity. For a personalized account this could be done when he enters some credentials which could be verified against all kinds of authention backends. (ldap, aws, github,…)

But how could a technical account proof it’s identity without providing an initial truth like a token, ssl cert, any other kind of key / credential ? Is that possible at all?

What I’ve seen so far, is just transferring the secrets into vault, but the key to the vault is visible anyway. Which does not make any sense in my opinion, but just increases complexity.

Any thoughts on that?

If you use a Gitlab Pipeline, you can use JWT Auth. For example, I have a gitlab pipeline that use Packer to build template on Vsphere. My packer need to have an account on my Vsphere and this account is managed the Active Directory engine.

So, I have a JWT auth enable and a role that has a policy to read this vsphere password.

My pipeline start with :

- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=gitlab-packer-master jwt=$CI_JOB_JWT)"

Now, My packer has a token and a policy.
It’s the same with ansible.