Platform secrets are service passwords, certificates and private keys which are stored in Transcrypt encrypted platform Git repository and thus are easy to audit.

To access Platform Secrets for existing deployment it is necessary to obtain transcrypt key, for more details about how to access existing environment please see Connecting to environment guide.


Platform secrets by default are located in $HOME/git/$OWNER/ansible-data-$ENV, for more details about platform client settings and how to change them please see Settings guide.

Repository directory structure

  • dashboards - monitoring dashboard template instantiation markers, if file for a particular user is present and matches new template, template is not uploaded to elasticsearch
  • git - temporary gitolite admin repository, not stored in Platform Secrets
  • inventory - ansible inventory directory with environment specific host inventory (by default includes AWS EC2 inventory)
  • ldap - LDAP user instantiation markers, if marker matches previous user LDAP definition, user is not added to LDAP
  • markers - plain markers for various facts, if file is present, action is assumed to be completed
  • passwords - service passwords for inter service communication
  • passwords/iam - AWS IAM user IDs and Keys, for example passwords/iam/, passwords/iam/AthenaNFTBootstrap.key, passwords/iam/, passwords/iam/AthenaDEVSES.key
  • passwords/rds - AWS RDS service and DB passwords, for example passwords/rds/athenadevdbpostgres94, passwords/rds/db/athenadevdbpostgres94/redmine
  • passwords/users - service user passwords, for example passwords/users/athena-dev-rundeck.ldap
  • ssh - service private/public SSH keys, for example ssh/rundeck-athena-dev, ssh/
  • ssl - service SSL keys and certificates, for example ssl/athena-dev-docker.agent.crt, ssl/athena-dev-docker.agent.key, ssl/
  • ssl/ca-* - WAF certificate authority merge directory in case if WAF has to trust multiple CAs, for example ssl/ca-athena-dev/athena-dev.crt, ssl/ca-athena-dev/groceries-dev.crt
  • ssl/crl-* - WAF certificate revocation list merge directory in case if WAF has to trust multiple CAs, for example ssl/crl-athena-dev/athena-dev.pem, ssl/crl-athena-dev/groceries-dev.pem