{"id":14479,"date":"2018-11-29T08:18:53","date_gmt":"2018-11-29T07:18:53","guid":{"rendered":"https:\/\/www.inovex.de\/blog\/?p=14479"},"modified":"2026-03-17T07:59:35","modified_gmt":"2026-03-17T06:59:35","slug":"managing-secrets-openstack-terraform","status":"publish","type":"post","link":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/","title":{"rendered":"4 Ways to Manage Your OpenStack Secrets with Terraform and git"},"content":{"rendered":"<p>Uploading secrets (i.e. passwords and usernames) to version control is an obviously terrible idea. Yet, there are almost 450,000 commits to github for the search term &#8222;remove password&#8220;. Fortunately, Terraform and its OpenStack provider offer us some pretty nifty ways of keeping our secrets to ourselves and still using comfortable authentication and configuration. There are four main ways of authenticating to OpenStack through terraform that I will touch on in this article.<!--more--><\/p>\n<ul>\n<li>Command line<\/li>\n<li>Environment variables<\/li>\n<li>.tfvars file<\/li>\n<li>clouds-public.yaml, clouds.yaml and secure.yaml<\/li>\n<\/ul>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#Command-line\" >Command line<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#Environment-variables\" >Environment variables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#terraformtfvars\" >terraform.tfvars<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#clouds-publicyaml-cloudsyaml-and-secureyaml\" >clouds-public.yaml, clouds.yaml and secure.yaml<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#clouds-publicyaml\" >clouds-public.yaml<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#cloudsyaml\" >clouds.yaml<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#secureyaml\" >secure.yaml<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#Read-on\" >Read on<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Command-line\"><\/span>Command line<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>It is possible to pass your secrets into Terraform as command line arguments. To do this, define your provider like this:<\/p>\n<pre class=\"lang:default decode:true\" title=\"Command line authentication\">provider \"openstack\" {\r\n\r\nusername = \"${var.username}\"\r\n\r\npassword = \"${var.password}\"\r\n\r\n}<\/pre>\n<p>When <span class=\"lang:default decode:true crayon-inline \">apply<\/span> ing your Terraform code, you can then insert your secrets like so:<\/p>\n<pre class=\"lang:default decode:true\"> terraform apply -var 'username=simon' -var 'password=verysecret'<\/pre>\n<p>This is more secure than storing your secrets in repositories but not ideal as you have to type in the variable values at every <span class=\"lang:default decode:true crayon-inline \">terraform apply<\/span> . It does however have the advantage of you never having to store your secrets on any hard drive.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Environment-variables\"><\/span>Environment variables<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Per default the OpenStack provider looks for environment variables in the shell where <span class=\"lang:default decode:true crayon-inline \">terraform apply<\/span> is run. These environment variables usually start with &#8222;OS_&#8220; and end in the name of the variable. There is an easy way of getting these variables from your OpenStack project:<\/p>\n<ol>\n<li>Go to your OpenStack Dashboard<\/li>\n<li>Navigate to &#8218;Project &gt; API Access&#8216;<\/li>\n<li>Click the button &#8218;Download OpenStack RC file&#8216;<\/li>\n<li><span class=\"lang:default decode:true crayon-inline \">source<\/span> your freshly downloaded OpenRC file and type in your password when asked<\/li>\n<\/ol>\n<p>This has the advantage of having most authentication options set correctly automatically. It does however still have the disadvantage of having to type your password on every <span class=\"lang:default decode:true crayon-inline \">source<\/span> .<\/p>\n<h2><span class=\"ez-toc-section\" id=\"terraformtfvars\"><\/span>terraform.tfvars<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you don&#8217;t want to have to reload your OpenRC file with every new shell you open and you also don&#8217;t want to type your password time and again, you have to store your secrets somewhere on your hard drive.<\/p>\n<p>The easiest way of doing this is creating a &#8218;terraform.tfvars&#8216; file in the root folder of your Terraform project. When running <span class=\"lang:default decode:true crayon-inline \">terraform apply<\/span> , Terraform will automatically scour the root folder for a terraform.tfvars file and load all variables defined in this file. In order to use the terraform.tfvars file, first define your provider in the same way as the command line example. Then, create a file called terraform.tfvars and fill it with variable definitions like this:<\/p>\n<pre class=\"lang:default decode:true\" title=\"terraform.tfvars\">username = \"simon\"\r\n\r\npassword = \"verysecret\"<\/pre>\n<p>Terraform will automatically substitute the variables at <span class=\"lang:default decode:true crayon-inline \">apply<\/span> time.<\/p>\n<p>Finally, don&#8217;t forget to add &#8218;terraform.tfvars&#8216; to your .gitignore so you don&#8217;t accidentally commit your secrets to version control.<\/p>\n<p>Note that your file can also have a different name from &#8218;terraform.tfvars&#8216;. If the file has another name (e.g. example.tfvars&#8216;), you can run Terraform by calling<\/p>\n<pre class=\"lang:default decode:true\" title=\"example with different file name\">terraform apply -var-file=\"example.tfvars\"\r\n\r\n<\/pre>\n<p>Now you have a possibility to store your OpenStack secrets locally without running the danger of sharing the code. But what if there are some OpenStack configuration options that you actually <strong>want <\/strong>to upload to version control? The options so far do not provide a way for splitting secrets. Therefore we sometimes need a more flexible approach.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"clouds-publicyaml-cloudsyaml-and-secureyaml\"><\/span>clouds-public.yaml, clouds.yaml and secure.yaml<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Fortunately the terraform-openstack-provider and OpenStack come with a built in support for splitting up your configuration. There are three special .yaml configuration files that Terraform searches for when authenticating. Each one of these files will be explained in detail in the next paragraphs. In order to use the files, put them in one of the following three locations:<\/p>\n<ul>\n<li>current directory<\/li>\n<li>~\/.config\/openstack<\/li>\n<li>\/etc\/openstack<\/li>\n<\/ul>\n<p>The file that is found first wins. What this means is that if you have a clouds.yaml file in the current directory and one in \/etc\/openstack, terraform will use the one in the current directory.<\/p>\n<p>As this feature has only been added somewhat recently, please note that you have to update your OpenStack provider to at least <span class=\"lang:default decode:true crayon-inline \">v1.11.0<\/span>\u00a0 for clouds-public.yaml and secure.yaml to be found. However clouds.yaml can also be used with earlier versions.<\/p>\n<p>The way these files work is by defining clouds that each have their own authentication options. To use a cloud defined in the files, define your OpenStack provider like this:<\/p>\n<pre class=\"lang:yaml decode:true\" title=\"Provider definition with cloud files\">provider \"openstack\" {\r\n\r\n    cloud = \"example\"\r\n\r\n}<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"clouds-publicyaml\"><\/span>clouds-public.yaml<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>This file should contain all information that is common across a number of users. Because clouds-public.yaml is meant to be, well,\u00a0<em>public<\/em>, you should not put any secrets into this file. As a result, it should be safe to check it into version control.<\/p>\n<p>You can put any information in here that you would normally define via environment variables. While the environment variables have an &#8222;OS_&#8220; prefix and are usually uppercase only, the variables in the cloud definitions are usually all lowercase and missing the prefix.<\/p>\n<p>The file has a format akin to this:<\/p>\n<pre class=\"lang:yaml decode:true\">clouds:\r\n\r\n     example:\r\n\r\n         auth:\r\n\r\n             auth_url: http:\/\/192.168.122.10:35357\/\r\n\r\n         region_name: RegionOne<\/pre>\n<p>Please note that the `profile` value in a clouds-public.yaml will not be used. If you want to set this value, you have to use a clouds.yaml or secure.yaml.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"cloudsyaml\"><\/span>clouds.yaml<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Unlike clouds-public.yaml, this file is not explicitly supposed to be shared publicly. The values defined in this file override all values in clouds-public.yaml.<\/p>\n<p>It is possible to define a clouds.yaml with only a cloud that references a profile with all values in it.<\/p>\n<p>A typical clouds.yaml file could look like this:<\/p>\n<pre class=\"lang:yaml decode:true\" title=\"clouds.yaml\">clouds:\r\n\r\n    example:\r\n\r\n        auth:\r\n\r\n            project_name: demo\r\n\r\n            user_domain_name: Default\r\n\r\n            project_domain_name: Default<\/pre>\n<p>&nbsp;<\/p>\n<p>If you have the above file and the clouds-public.yaml from the last section together, the resulting configuration when calling <span class=\"lang:default decode:true crayon-inline\">terraform apply<\/span>\u00a0 will be:<\/p>\n<pre class=\"lang:yaml decode:true \" title=\"merge between cloud-public.yaml and clouds.yaml\">clouds:\r\n\r\n    example:\r\n\r\n        auth:\r\n\r\n            auth_url: http:\/\/192.168.122.10:35357\/\r\n\r\n            project_name: demo\r\n\r\n            user_domain_name: Default\r\n\r\n            project_domain_name: Default\r\n\r\n        region_name: RegionOne<\/pre>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"secureyaml\"><\/span>secure.yaml<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>This is where your sensitive information such as passwords and usernames should be stored. Because of its sensitive nature, this file will ideally never be uploaded to version control. Values in this file will override all values in clouds.yaml as well as clouds-public.yaml. Furthermore it is possible to define a complete cloud in this file without defining it in clouds.yaml or clouds-public.yaml.<\/p>\n<p>Note that it is not possible to only define a cloud name in clouds.yaml and then fill in the rest in secure.yaml.<\/p>\n<p>A typical secure.yaml would look like this:<\/p>\n<pre class=\"lang:yaml decode:true \" title=\"secure.yaml\">clouds:\r\n\r\n    example:\r\n\r\n        auth:\r\n\r\n            username: simon\r\n\r\n            password: verysecret<\/pre>\n<p>&nbsp;<\/p>\n<p>This would then get merged with both other files into this final configuration:<\/p>\n<pre class=\"lang:yaml decode:true \" title=\"Final merged configuration\">clouds:\r\n\r\n    example:\r\n\r\n        auth:\r\n\r\n            auth_url: http:\/\/192.168.122.10:35357\/\r\n\r\n            project_name: demo\r\n\r\n            user_domain_name: Default\r\n\r\n            project_domain_name: Default\r\n\r\n            username: simon\r\n\r\n            password: verysecret\r\n\r\n        region_name: RegionOne<\/pre>\n<p>After adding your secrets in the yaml files, please do not forget to add secure.yaml to your .gitignore.<\/p>\n<p>To be even safer than that, it is advisable to not even store your secure.yaml in the same folder as your terraform code. Instead, store it in one of the other locations mentioned above. A good example file structure would look like this:<\/p>\n<pre class=\"lang:yaml decode:true \" title=\"Example file structure\">|---.config\r\n\r\n    |----openstack\r\n\r\n        |-secure.yaml\r\n\r\n        |-clouds.yaml\r\n\r\n|---development\r\n\r\n    |---your-tf-git-project\r\n\r\n        |-main.tf\r\n\r\n        |-clouds-public.yaml<\/pre>\n<p>&nbsp;<\/p>\n<p>In conclusion, there are multiple ways of cleverly managing your secrets with Terraform and OpenStack and I hope that I made your Terraform configuration a little bit easier.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Read-on\"><\/span>Read on<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To get to know more about our cloud services please refer to <a href=\"https:\/\/www.inovex.de\/en\/our-services\/cloud\/\" target=\"_blank\" rel=\"noopener\">our portfolio<\/a>. You might also want to have a look at our current job listings if you&#8217;re looking to put your skills to good use.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Uploading secrets (i.e. passwords and usernames) to version control is an obviously terrible idea. Yet, there are almost 450,000 commits to github for the search term &#8222;remove password&#8220;. Fortunately, Terraform and its OpenStack provider offer us some pretty nifty ways of keeping our secrets to ourselves and still using comfortable authentication and configuration. There are [&hellip;]<\/p>\n","protected":false},"author":79,"featured_media":14545,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"ep_exclude_from_search":false,"footnotes":""},"tags":[66],"service":[414,432],"coauthors":[{"id":79,"display_name":"Simon Reinkemeier","user_nicename":"sreinkemeier"}],"class_list":["post-14479","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-devops","service-cloud","service-devops"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>4 Ways to Manage Your OpenStack Secrets with Terraform and git<\/title>\n<meta name=\"description\" content=\"Terraform and OpenStack provide some clever ways of authenticating to OpenStack and configuring your clouds. This article shows you four easy ways so you never have to worry about accidentally uploading secrets to places where they shouldn&#039;t be.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"4 Ways to Manage Your OpenStack Secrets with Terraform and git\" \/>\n<meta property=\"og:description\" content=\"Terraform and OpenStack provide some clever ways of authenticating to OpenStack and configuring your clouds. This article shows you four easy ways so you never have to worry about accidentally uploading secrets to places where they shouldn&#039;t be.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/\" \/>\n<meta property=\"og:site_name\" content=\"inovex GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inovexde\" \/>\n<meta property=\"article:published_time\" content=\"2018-11-29T07:18:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-17T06:59:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/openstack-secrets-hero.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1440\" \/>\n\t<meta property=\"og:image:height\" content=\"810\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Simon Reinkemeier\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/openstack-secrets-hero-1024x576.png\" \/>\n<meta name=\"twitter:creator\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:site\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Simon Reinkemeier\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"6\u00a0Minuten\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"Simon Reinkemeier\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/\"},\"author\":{\"name\":\"Simon Reinkemeier\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/b5e51e4a0660911b9293567444c70987\"},\"headline\":\"4 Ways to Manage Your OpenStack Secrets with Terraform and git\",\"datePublished\":\"2018-11-29T07:18:53+00:00\",\"dateModified\":\"2026-03-17T06:59:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/\"},\"wordCount\":1160,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2018\\\/11\\\/openstack-secrets-hero.png\",\"keywords\":[\"DevOps\"],\"articleSection\":[\"English Content\",\"General\",\"Infrastructure\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/\",\"name\":\"4 Ways to Manage Your OpenStack Secrets with Terraform and git\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2018\\\/11\\\/openstack-secrets-hero.png\",\"datePublished\":\"2018-11-29T07:18:53+00:00\",\"dateModified\":\"2026-03-17T06:59:35+00:00\",\"description\":\"Terraform and OpenStack provide some clever ways of authenticating to OpenStack and configuring your clouds. This article shows you four easy ways so you never have to worry about accidentally uploading secrets to places where they shouldn't be.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2018\\\/11\\\/openstack-secrets-hero.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2018\\\/11\\\/openstack-secrets-hero.png\",\"width\":1440,\"height\":810,\"caption\":\"Files with variables flying towards a cloud, the password file for OpenStack being denied access\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/managing-secrets-openstack-terraform\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"4 Ways to Manage Your OpenStack Secrets with Terraform and git\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"name\":\"inovex GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\",\"name\":\"inovex GmbH\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"width\":1921,\"height\":1081,\"caption\":\"inovex GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/inovexde\",\"https:\\\/\\\/x.com\\\/inovexgmbh\",\"https:\\\/\\\/www.instagram.com\\\/inovexlife\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/inovex\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC7r66GT14hROB_RQsQBAQUQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/b5e51e4a0660911b9293567444c70987\",\"name\":\"Simon Reinkemeier\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/19030546865f35139ad8ec4eebfd2803b19667a8b338a02e38740e29f3a36382?s=96&d=retro&r=g7568ec28f70d7bbb596496fcd9abda3b\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/19030546865f35139ad8ec4eebfd2803b19667a8b338a02e38740e29f3a36382?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/19030546865f35139ad8ec4eebfd2803b19667a8b338a02e38740e29f3a36382?s=96&d=retro&r=g\",\"caption\":\"Simon Reinkemeier\"},\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/author\\\/sreinkemeier\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"4 Ways to Manage Your OpenStack Secrets with Terraform and git","description":"Terraform and OpenStack provide some clever ways of authenticating to OpenStack and configuring your clouds. This article shows you four easy ways so you never have to worry about accidentally uploading secrets to places where they shouldn't be.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/","og_locale":"de_DE","og_type":"article","og_title":"4 Ways to Manage Your OpenStack Secrets with Terraform and git","og_description":"Terraform and OpenStack provide some clever ways of authenticating to OpenStack and configuring your clouds. This article shows you four easy ways so you never have to worry about accidentally uploading secrets to places where they shouldn't be.","og_url":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/","og_site_name":"inovex GmbH","article_publisher":"https:\/\/www.facebook.com\/inovexde","article_published_time":"2018-11-29T07:18:53+00:00","article_modified_time":"2026-03-17T06:59:35+00:00","og_image":[{"width":1440,"height":810,"url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/openstack-secrets-hero.png","type":"image\/png"}],"author":"Simon Reinkemeier","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/openstack-secrets-hero-1024x576.png","twitter_creator":"@inovexgmbh","twitter_site":"@inovexgmbh","twitter_misc":{"Verfasst von":"Simon Reinkemeier","Gesch\u00e4tzte Lesezeit":"6\u00a0Minuten","Written by":"Simon Reinkemeier"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#article","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/"},"author":{"name":"Simon Reinkemeier","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/b5e51e4a0660911b9293567444c70987"},"headline":"4 Ways to Manage Your OpenStack Secrets with Terraform and git","datePublished":"2018-11-29T07:18:53+00:00","dateModified":"2026-03-17T06:59:35+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/"},"wordCount":1160,"commentCount":0,"publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/openstack-secrets-hero.png","keywords":["DevOps"],"articleSection":["English Content","General","Infrastructure"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/","url":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/","name":"4 Ways to Manage Your OpenStack Secrets with Terraform and git","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#primaryimage"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/openstack-secrets-hero.png","datePublished":"2018-11-29T07:18:53+00:00","dateModified":"2026-03-17T06:59:35+00:00","description":"Terraform and OpenStack provide some clever ways of authenticating to OpenStack and configuring your clouds. This article shows you four easy ways so you never have to worry about accidentally uploading secrets to places where they shouldn't be.","breadcrumb":{"@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#primaryimage","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/openstack-secrets-hero.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2018\/11\/openstack-secrets-hero.png","width":1440,"height":810,"caption":"Files with variables flying towards a cloud, the password file for OpenStack being denied access"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inovex.de\/de\/blog\/managing-secrets-openstack-terraform\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inovex.de\/de\/"},{"@type":"ListItem","position":2,"name":"4 Ways to Manage Your OpenStack Secrets with Terraform and git"}]},{"@type":"WebSite","@id":"https:\/\/www.inovex.de\/de\/#website","url":"https:\/\/www.inovex.de\/de\/","name":"inovex GmbH","description":"","publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inovex.de\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.inovex.de\/de\/#organization","name":"inovex GmbH","url":"https:\/\/www.inovex.de\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","width":1921,"height":1081,"caption":"inovex GmbH"},"image":{"@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inovexde","https:\/\/x.com\/inovexgmbh","https:\/\/www.instagram.com\/inovexlife\/","https:\/\/www.linkedin.com\/company\/inovex","https:\/\/www.youtube.com\/channel\/UC7r66GT14hROB_RQsQBAQUQ"]},{"@type":"Person","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/b5e51e4a0660911b9293567444c70987","name":"Simon Reinkemeier","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/secure.gravatar.com\/avatar\/19030546865f35139ad8ec4eebfd2803b19667a8b338a02e38740e29f3a36382?s=96&d=retro&r=g7568ec28f70d7bbb596496fcd9abda3b","url":"https:\/\/secure.gravatar.com\/avatar\/19030546865f35139ad8ec4eebfd2803b19667a8b338a02e38740e29f3a36382?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/19030546865f35139ad8ec4eebfd2803b19667a8b338a02e38740e29f3a36382?s=96&d=retro&r=g","caption":"Simon Reinkemeier"},"url":"https:\/\/www.inovex.de\/de\/blog\/author\/sreinkemeier\/"}]}},"_links":{"self":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/14479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/users\/79"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/comments?post=14479"}],"version-history":[{"count":3,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/14479\/revisions"}],"predecessor-version":[{"id":66532,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/14479\/revisions\/66532"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media\/14545"}],"wp:attachment":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media?parent=14479"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/tags?post=14479"},{"taxonomy":"service","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/service?post=14479"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/coauthors?post=14479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}