Published on

The Napkin Architecture Series - Secret Zero, Jenkins, Ansible, and Vault

Authors

The Why

We've all been there: you need to get a secret_id onto a Linux server so your app can log in to Vault. But how do you get that first secret there without hardcoding it? This is the classic "Secret Zero" problem. If you just pass the secret ID in plain text through Jenkins and Ansible, you're exposing it to logs and history files.

Here is the pattern I use to solve this by using Vault's Response Wrapping.

The "Who?"

• Jenkins: Our orchestrator (The requester). • Ansible: The delivery truck (The carrier). • Vault: The bank (The secret holder). • Linux Server: The final destination.

The Flow

Take a look at the diagram above. It creates a secure loop. Here is exactly what's happening in each step:

  • Step 1: Get Wrapping Token

    Jenkins kicks things off. It authenticates and asks Vault: "Hey, I need a Secret ID for the app, but don't give it to me in plain text. Wrap it up."

  • Step 2: Response Wrapping Token

    Vault creates a single-use Wrapping Token (think of it like a sealed envelope) and hands that back to Jenkins. Jenkins never sees the actual secret_id.

  • Step 3 & 3': Transfer Wrapping Token

    Now the hand-off happens. Jenkins passes the token to Ansible (Step 3), and Ansible copies that token file onto the destination Linux server (Step 3'). Crucially, Ansible is just moving a sealed envelope; it doesn't know what's inside.

  • Step 4: Unwrap Token

    The Linux application starts up. It reads the token from the file and calls Vault to unwrap it.

  • Step 5: Response secret_id

    Vault checks if the token is valid and hasn't been tampered with. If everything looks good, it finally reveals the real secret_id directly to the Linux server's memory.

Why I Like This Pattern

  • No Leaks: Neither Jenkins nor Ansible ever see the real credential.
  • Self-Destructing: The wrapping token is single-use and short-lived. If a hacker steals it from the Ansible logs later, it's already useless.
  • Audit Trail: If the unwrap step fails, we know immediately that something is wrong.