Part of puppet to ansible migration. current puppet config uses eyaml:
:eyaml:
:datadir: /opt/puppet/yamls
:pkcs7_private_key: /opt/puppet/secure/keys/eyaml_private_key.pkcs7.pem
:pkcs7_public_key: /opt/puppet/public/eyaml_public_key.pkcs7.pem
:extension: 'yaml'
Ansible has vault which achieves the encryption, but from what I have understood so far, it requires storing password as plain text in a file.
Can I use key combination similar to eyaml for ansible vault?
You are correct that ansible-vault only supports use of a password as an encryption key.
Hashicorp Vault has a pluggable authentication system, and one of the built-in options uses PEM-format certs. There is a simple plugin that integrtes Vault with Ansible. Vault also offers a number of other advantages over a shared-encrypted-file approach, but that's a larger topic that's not suited for here.
from what I have understood so far, it requires storing password as plain text in a file.
Not quite correct. You can pass executable path as --vault-password-file value.
So you can have some script that will do any sort of password management and just print the key to stdout (that will be piped as vault password to Ansible).
