When comparing Amazon Key Management Service vs Ansible Vault, the Slant community recommends Ansible Vault for most people. In the question“What are the best shared secret managers?” Ansible Vault is ranked 1st while Amazon Key Management Service is ranked 10th. The most important reason people chose Ansible Vault is:
The official documentation of Ansible vault does a great job at explaining how Ansible Vault works and how to use the easy UI for encrypting, decrypting, and re-keying your secrets for storing in source control.
Ranked in these QuestionsQuestion Ranking
Pros
Pro Extremely secure
Amazon has used a lot of techniques to harden the process of storing and securing keys in its service. For example, keys are not stored on disk, nor are they allowed to persist in memory.
Amazon employees can not access a user's secret keys physically and the keys themselves are stored in the same geographical region as the application they belong to.
Pro Easy to use from a single dashboard
AWS Key Management Service offers a single unified dashboard that teams can use to manage and store their secrets used in applications hosted on AWS services. In the dashboard users can create keys, retrieve them and audit key usage through detailed information offered to them
Pro The documentation does a good job on explaining how to use it
The official documentation of Ansible vault does a great job at explaining how Ansible Vault works and how to use the easy UI for encrypting, decrypting, and re-keying your secrets for storing in source control.
Pro Allows keeping encrypted data in ansible playbooks easily
Ansible uses configuration files called playbooks which are used to describe a policy that the remote system needs to follow. Though there is often a need to keep data from these configurations files encrypted when using source control.
Doing this in Ansible's Vault is pretty easy, simply running: ansible-playbook site.yml --ask-vault-pass
will run a playbook which uses encrypted data.
Cons
Con Does not generate certificates
KMS does not generate certificates, in order to generate them you have to roll out your own solution.
Con No way of exposing just the key in the key-value pair
Ansible vault files are encrypted YAML key-value stores. The entire file is encrypted, and so it's impossible to indicate which keys are defined within the vault without also viewing values.