← All posts
How-To

Stop Hardcoding Device Passwords: A Secrets Vault for Network Automation

Your pipelines reference a secret name; the value never touches the repo.

NAPT Team7 min read
NAPT

Search any network team's git history and you'll usually find a TACACS password committed in 2019 that still works. Hardcoded credentials are the single most common automation security failure. A secrets vault fixes it by separating the reference to a secret from its value.

The problem with credentials in code

  • Anyone with repo read access has your enable password.
  • Rotation means a find-and-replace across dozens of files — so it never happens.
  • Logs and CI output leak the value the moment a script echoes a variable.

How vault injection works

Secrets live encrypted in the vault, scoped to a workspace. Your pipeline stage references a secret by name; at run time the value is injected into the execution environment and never written to disk or the run log.

yaml
# A stage references the secret by name, not value
- stage: script_runner
  script: bgp_community_deploy
  env:
    NET_USERNAME: ${{ secrets.EDGE_TACACS_USER }}
    NET_PASSWORD: ${{ secrets.EDGE_TACACS_PASS }}
Warning: Never print or echo an injected secret to confirm it loaded. The run log is part of your audit trail and a leaked secret there is just as exposed as one in git.

Rotation without a code change

Because pipelines reference secrets by name, rotating a credential is a single vault update — every pipeline picks up the new value on its next run, with zero code changes and zero redeploys. Scope secrets to the narrowest set of devices that need them so a single leak can't unlock the whole fleet.

#devops#secrets#security#vault

Was this helpful?

Generate scripts for the task covered in this post

Describe what you need and NAPT writes production-ready automation in Netmiko, NAPALM, or Nornir.

Open Script Generator →
New to NAPT? Start with the Setup Guide

Related posts