Securing Proxmox API Tokens for CodexMCP: To the ENV for Now
When automating infrastructure deployment, securing API credentials is critical. In CodexMCP, we need to authenticate against the Proxmox API to automate VM provisioning and management. However, hardcoding API tokens directly in Ansible playbooks or inventory files poses a serious security risk—especially as we prepare to push the project to a public repository.
To prevent accidental exposure, we decided to store the Proxmox API token in an environment variable and dynamically read it within Ansible. This ensures that:
- The token never gets stored in version control.
- It remains accessible for automation but not exposed in plaintext files.
- Future credential rotations can be managed without modifying playbooks.
Why Use an Environment Variable?
There are several ways to handle sensitive credentials in Ansible, including Ansible Vault, .env files, and external secrets managers. We chose environment variables for now because:
- Simplicity – No extra dependencies or encryption steps.
- Portability – Works across different environments, including local development and CI/CD pipelines.
- Flexibility – We can later transition to Ansible Vault or a more secure approach without rewriting major parts of our automation.
How We Stored the Proxmox Token in the Environment
Verify that it’s stored correctly:
echo $PROXMOX_API_TOKEN
This should return the full token without errors.
Persist it across sessions by adding it to ~/.bashrc:
echo 'export PROXMOX_API_TOKEN="root@pam!codexmcp=your-token-here"' >> ~/.bashrc
source ~/.bashrc
Set the environment variable manually:
export PROXMOX_API_TOKEN='root@pam!codexmcp=your-token-here'
Reading the Proxmox Token in Ansible
Once the token is safely stored in an environment variable, we modify our Ansible playbook to read it dynamically:
headers:
Authorization: "PVEAPIToken={{ lookup('env', 'PROXMOX_API_TOKEN') }}"
Now, whenever Ansible executes an API call to Proxmox, it will securely retrieve the token from the environment instead of requiring a plaintext string in the playbook.
Debugging the Environment Variable in Ansible
To confirm that Ansible can successfully read the environment variable, we created a simple debug playbook:
Test Playbook (debug_env.yml)
- name: Test Environment Variable Retrieval
hosts: localhost
gather_facts: no
tasks:
- name: Show Proxmox API Token from Environment
debug:
msg: "Proxmox API Token: {{ lookup('env', 'PROXMOX_API_TOKEN') }}"
Run the Playbook
ansible-playbook debug_env.yml
Expected output:
TASK [Show Proxmox API Token from Environment] ****
ok: [localhost] => {
"msg": "Proxmox API Token: your-token-here"
}
This confirms that Ansible is correctly pulling the token from the environment.
Future Security Enhancements
While environment variables work well for now, we plan to explore:
- Ansible Vault – Encrypting API tokens for an extra layer of security.
- Secrets Managers – Storing tokens in HashiCorp Vault or AWS Secrets Manager for production use.
- Token Rotation – Automating token renewal and minimizing long-lived credentials.
For now, this method allows us to move forward quickly without the risk of accidentally committing sensitive credentials to a repository.
Conclusion
Securing credentials is an essential step in any automation workflow. By storing the Proxmox API token in an environment variable and dynamically retrieving it in Ansible, we ensure:
- Security – The token never touches version control.
- Flexibility – We can swap security methods in the future.
- Ease of use – No additional encryption or manual intervention needed.
With this in place, we can now safely proceed with automating Proxmox VM deployments without compromising security.
-Every Day is a New Adventure
--Bryan Vest