Stop Hardcoding Device Passwords: A Secrets Vault for Network Automation
Your pipelines reference a secret name; the value never touches the repo.
Search any network team's git history and you'll usually find a TACACS password committed in 2019 that still works. Hardcoded credentials are the single most common automation security failure. A secrets vault fixes it by separating the reference to a secret from its value.
The problem with credentials in code
- Anyone with repo read access has your enable password.
- Rotation means a find-and-replace across dozens of files — so it never happens.
- Logs and CI output leak the value the moment a script echoes a variable.
How vault injection works
Secrets live encrypted in the vault, scoped to a workspace. Your pipeline stage references a secret by name; at run time the value is injected into the execution environment and never written to disk or the run log.
# A stage references the secret by name, not value
- stage: script_runner
script: bgp_community_deploy
env:
NET_USERNAME: ${{ secrets.EDGE_TACACS_USER }}
NET_PASSWORD: ${{ secrets.EDGE_TACACS_PASS }}print or echo an injected secret to confirm it loaded. The run log is part of your audit trail and a leaked secret there is just as exposed as one in git.Rotation without a code change
Because pipelines reference secrets by name, rotating a credential is a single vault update — every pipeline picks up the new value on its next run, with zero code changes and zero redeploys. Scope secrets to the narrowest set of devices that need them so a single leak can't unlock the whole fleet.
Was this helpful?
Generate scripts for the task covered in this post
Describe what you need and NAPT writes production-ready automation in Netmiko, NAPALM, or Nornir.
Open Script Generator →Related posts
Compliance Without the Spreadsheet: Continuous Posture for Network Devices
The Compliance panel runs your hardening rule packs across the fleet, scores devices, and tracks drift so audits start with evidence, not promises.
Read →Inventory & IPAM: The Source of Truth Your Scripts Actually Trust
Upload a CSV, connect to NetBox, or generate an IP range — Inventory normalises every source into the same validated row shape for the platform.
Read →Runbooks: Living Documents That Run
Runbooks combine narrative, parameters, and executable scripts so on-call engineers stop choosing between reading the doc and fixing the problem.
Read →