Secrets
Secrets live in credentials. Each is sealed at rest with AES-256-GCM, is never returned by the API,
and reaches a run only while it executes, in a temporary file or environment that is wiped afterward.
If a tool prints a secret, Yardmaster redacts it from the run's log, live stream, and events, so the
output shows *** instead of the value.
Kinds
A credential's kind decides how its value reaches a run.
| Kind | What it is |
|---|---|
ssh_key |
An SSH private key, to reach hosts and clone private git projects. |
vault_password |
An Ansible Vault password. |
env |
KEY=VALUE lines injected into the environment, how cloud SDK tokens reach a tool. |
token |
A single API token or JWT, exposed to the run as YARDMASTER_TOKEN. |
become_password |
A privilege escalation password, kept off the command line. |
registry |
A container registry login, to pull a pinned execution image. |
Sources
A credential's source decides where its value comes from at run time.
| Source | Where the value comes from |
|---|---|
| Stored | The sealed value you pasted. This is the default. |
| Command | A command Yardmaster runs at launch, whose standard output is the secret. Works with any CLI, so Vault, AWS, GCP, or 1Password all resolve with no extra integration. |
| Vault | A Vault address, path, and field, read over Vault's HTTP API at launch. Handles KV v2 and KV v1. |
| Vault dynamic | A Vault dynamic secrets path. A fresh, short-lived credential is minted for each run and revoked when the run ends. |
| Google Secret Manager | A project, secret, and version, read at launch. On GCP it reads as the attached service account with no stored key. |
Ephemeral secrets
A Vault dynamic source mints a new credential for each run and revokes it the moment the run ends, so a leaked value is useless minutes later. If the process dies before it can revoke, the credential still expires on the lease's own TTL. This is a control-plane capability neither incumbent offers.
Scope
Attach a credential to a run, a template, a project, or a stored inventory. A credential attached to an inventory reaches every run that targets it, so a fleet carries its own secret variables in one place.
Encryption
Sealing needs a key. Set YARDMASTER_ENCRYPTION_KEY and a stable YARDMASTER_ENCRYPTION_SALT before
storing an externally sourced credential or inventory. The sealed value never leaves Yardmaster.
See Set a secret for the step-by-step, including the API calls.
