Claude-skill-registry ansible-secrets
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/ansible-secrets" ~/.claude/skills/majiayu000-claude-skill-registry-ansible-secrets && rm -rf "$T"
manifest:
skills/data/ansible-secrets/SKILL.mdsafety · automated scan (low risk)
This is a pattern-based risk scan, not a security review. Our crawler flagged:
- references API keys
Always read a skill's source content before installing. Patterns alone don't mean the skill is malicious — but they warrant attention.
source content
Ansible Secrets Management
Secure secrets handling with Infisical integration and proper security practices.
Architecture Overview
┌──────────────┐ │ Ansible │ │ Playbook │ └──────┬───────┘ │ │ include_tasks: infisical-secret-lookup.yml │ ▼ ┌──────────────────┐ │ Infisical Lookup │ │ Task │ └──────┬───────────┘ │ ├─> Try Universal Auth (preferred) │ - INFISICAL_UNIVERSAL_AUTH_CLIENT_ID │ - INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET │ ├─> Fallback to Environment Variable (optional) │ - Uses specified fallback_env_var │ ▼ ┌──────────────┐ │ Infisical │ (Vault) │ API │ └──────────────┘
Reusable Task Pattern
The repository provides a reusable task for secret retrieval at
ansible/tasks/infisical-secret-lookup.ymlBasic Usage
- name: Retrieve Proxmox password ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'PROXMOX_PASSWORD' secret_var_name: 'proxmox_password' infisical_project_id: '7b832220-24c0-45bc-a5f1-ce9794a31259' infisical_env: 'prod' infisical_path: '/proxmox-cluster' # Now use the secret - name: Create Proxmox user community.proxmox.proxmox_user: api_password: "{{ proxmox_password }}" # ... other config ... no_log: true
With Fallback
- name: Retrieve database password ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'DB_PASSWORD' secret_var_name: 'db_password' fallback_env_var: 'DB_PASSWORD' # Falls back to $DB_PASSWORD infisical_project_id: '7b832220-24c0-45bc-a5f1-ce9794a31259' infisical_env: 'prod' infisical_path: '/database'
Task Parameters
| Variable | Required | Default | Description |
|---|---|---|---|
| Yes | - | Name of secret in Infisical |
| Yes | - | Variable name to store secret |
| No | (repo default) | Infisical project ID |
| No | | Environment (prod, dev, staging) |
| No | | Path within project |
| No | - | Env var to use as fallback |
| No | | Allow empty secret values |
Authentication
Universal Auth (Recommended)
Set environment variables before running playbooks:
export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="ua-abc123" export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="secret-xyz789" cd ansible uv run ansible-playbook playbooks/my-playbook.yml
Environment Fallback
For local development or CI without Infisical:
export PROXMOX_PASSWORD="local-dev-password" cd ansible uv run ansible-playbook playbooks/my-playbook.yml
Security Best Practices
1. Use no_log
On tasks that handle secrets:
- name: Set database password ansible.builtin.command: set-password {{ password }} no_log: true - name: Deploy config with secrets ansible.builtin.template: src: config.j2 dest: /etc/app/config.yml no_log: true
2. Avoid Hard-Coded Secrets
# BAD - Exposes secrets - name: Create user community.proxmox.proxmox_user: api_password: "my-password-123" # EXPOSED! # GOOD - name: Retrieve password ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'PROXMOX_PASSWORD' secret_var_name: 'proxmox_password' - name: Create user community.proxmox.proxmox_user: api_password: "{{ proxmox_password }}" no_log: true
3. Validate Secret Retrieval
Add validation for critical secrets:
- name: Get database password ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'DB_PASSWORD' secret_var_name: 'db_password' - name: Validate password complexity ansible.builtin.assert: that: - db_password | length >= 16 fail_msg: "Password doesn't meet complexity requirements" no_log: true
4. Limit Secret Scope
Retrieve secrets only when needed:
# GOOD - Retrieve only when needed - name: System tasks (no secrets) ansible.builtin.apt: name: nginx state: present - name: Get credentials (only when needed) ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'DB_PASSWORD' secret_var_name: 'db_password' - name: Configure database connection ansible.builtin.template: src: db-config.j2 dest: /etc/app/db.yml no_log: true
5. Use Environment Isolation
Separate secrets by environment:
# Production - name: Get prod secret ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'DB_PASSWORD' secret_var_name: 'db_password' infisical_env: 'prod' infisical_path: '/production/database' # Development - name: Get dev secret ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'DB_PASSWORD' secret_var_name: 'db_password' infisical_env: 'dev' infisical_path: '/development/database'
Multiple Secrets Pattern
--- - name: Deploy application with secrets hosts: app_servers become: true vars: infisical_project_id: '7b832220-24c0-45bc-a5f1-ce9794a31259' infisical_env: 'prod' infisical_path: '/app-config' tasks: - name: Retrieve database password ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'DB_PASSWORD' secret_var_name: 'db_password' - name: Retrieve API key ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'API_KEY' secret_var_name: 'api_key' - name: Retrieve Redis password ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'REDIS_PASSWORD' secret_var_name: 'redis_password' - name: Deploy application config ansible.builtin.template: src: app-config.j2 dest: /etc/app/config.yml owner: app group: app mode: '0600' no_log: true
CI/CD Integration
GitHub Actions
name: Deploy on: push jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Infisical env: INFISICAL_CLIENT_ID: ${{ secrets.INFISICAL_CLIENT_ID }} INFISICAL_CLIENT_SECRET: ${{ secrets.INFISICAL_CLIENT_SECRET }} run: | echo "INFISICAL_UNIVERSAL_AUTH_CLIENT_ID=$INFISICAL_CLIENT_ID" >> $GITHUB_ENV echo "INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=$INFISICAL_CLIENT_SECRET" >> $GITHUB_ENV - name: Run Ansible run: | cd ansible uv run ansible-playbook playbooks/deploy.yml
Troubleshooting
Missing Authentication
Error: Missing Infisical authentication credentials
Solution:
export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="ua-abc123" export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="secret-xyz789"
Secret Not Found
Error: Failed to retrieve secret from Infisical
Check:
- Secret exists at specified path in Infisical
- Correct project_id/env/path
- Service account has read permission
Empty Secret Value
Error: Secret validation failed (empty value)
Solutions:
# Option 1: Allow empty (not recommended for required secrets) - name: Get optional secret ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'OPTIONAL_KEY' secret_var_name: 'optional_key' allow_empty: true # Option 2: Use fallback - name: Get secret with fallback ansible.builtin.include_tasks: tasks/infisical-secret-lookup.yml vars: secret_name: 'API_KEY' secret_var_name: 'api_key' fallback_env_var: 'DEFAULT_API_KEY'
Additional Resources
For detailed secrets management patterns, consult:
- Infisical integration patterns, no_log best practices, credential securityreferences/secrets-management.md
Related Skills
- ansible-fundamentals - Core Ansible patterns
- ansible-error-handling - Error handling for secret retrieval failures