I like Ansible's approach to this better. We keep all our secrets in ansible-vault and have a password to unlock it for those "who need to know".
Sure, this means provisioning VM's requires human interaction to unlock the vault (once) during a kickstart. So what. I'd rather do that than have plaintext or even pre-hashed passwords lying around in source control.
As others have pointed out, Hashicorp Vault seems like a good solution to the problems of another Hashicorp product ... Terraform, which used to keep passwords in its state files (not sure if it still does).
Unfortunately it wouldn't work for our network even if I wanted to use it, since our systems aren't allowed to connect outbound to the Internet (for good reason). I suppose I could set up a Vault server locally (?), but it's complete overkill for a problem we already solved in a simpler way.
Ansible is gradually adding modules for about everything. It's come along way since I started using it back in the 1.8 or 1.9 days.
Vault offers features such as short-term secrets which are unique to each client. Vault itself manages creation and destruction of the credentials on the server, allowing it to enforce credential lifetimes
How do you handle autoscaling? Server restart? Autoscaling requires credentials as part of the VM image. For server restart the credentials must be stored on the machine.
Not everybody uses or needs autoscaling. In fact I would venture that the vast majority of companies doing business on the internet, even those that have sunk their money into the cloud computing gold rush, do not need autoscaling.
I would argue that everyone needs auto scaling, even if it's only to use it to scale manually, or change/upgrade instances easily. Being able to just tell your auto scaling group to do +3 then -3 to replace your 3 instances without downtime is quite nice.
