If you are an Ansible user that runs playbooks through Job Templates, then you probably already know you can only attach a single Machine Credential. In many cases, this works out fine - customers have a service account used for automation with access to a fleet of hosts which automation jobs may target. With modern secrets managements tools, we can even rotate the credential each time a host is touched to satisfy security requirements. However, sometimes that doesn't cut it and unique credentials are required for each host. In this post, I am going to walk through an example using HashiCorp Vault to create a per-host "Machine Credential" at runtime with a little playbook magic.

Autodotes Blog Post:
https://autodotes.com/posts/Ohf0dnxyL...

Source Code:
https://github.com/zjleblanc/ansible-...

00:00 - Intro
01:35 - Playbook Mechanics
03:28 - High-level Process
04:20 - The Playbook
08:50 - Look at HashiCorp Vault
09:18 - The Job Template
11:32 - Let it Rip!