Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ansible: can I use a ssh key encrypted in the vault?

Tags:

ansible

We have an ansible server setup with our ansible code stored in a git repos. All the servers configured by ansible currently use the SSH key from our control server for access. However I'd like to include the key in the ansible git repos instead (encrypted in the vault). I'd like to do this as:

1) If our ansible server ever got compromised/had a unrecoverable hard drive failure/some other failure, we wouldn't have to generate a new ssh key and copy it to each ansible server before we could run ansible tasks again

2) It feels like it should be in the repos, as it's part of the setup/config to access the servers

3) We have other data stored in the vault and having to enter one password for the vault, and another for a SSH passphrase is a pain

We looked at coding a custom task to do this by creating a temporary file on disk, but it kind of feels like it should be something built in. Also I like the way the built in decryption only holds files in ram. The other issue was we couldn't find a method that would guaranteed to be run in the case of a failure, and so clean up the temporary file we created (kind of like an ensure block in programming)

Is there a safe way to use a vaulted ssh key? Or failing that just a way to ask for the ssh passphrase upfront?

like image 262
Georgio_1999 Avatar asked Jan 24 '16 19:01

Georgio_1999


People also ask

What can be encrypted with vault in ansible?

Ansible Vault can encrypt any structured data file used by Ansible. This can include “group_vars/” or “host_vars/” inventory variables, variables loaded by “include_vars” or “vars_files”, or variable files passed on the ansible-playbook command line with -e @file. yml or -e @file. json .

How do you pass an encrypted password in ansible?

You can use the ansible-vault encrypt_string command for this. You'll be prompted to insert and then confirm the vault password. You can then start inserting the string value that you wish to encrypt. Press ctrl-d to end input.

How do you use an encrypted variable in ansible-playbook?

To run a playbook containing an encrypted string, use the ansible-playbook command, adding the --ask-vault-pass option. In this example, you can ignore the warnings about valid hosts, because you're just testing an example playbook: $ ansible-playbook --ask-vault-pass ssh-config.

How do you store credentials in ansible vault?

Storing the Password in a File Be careful with that file, and make sure that if it lives inside the project, it never gets into source control. To tell Ansible where to find this password file, include it in the command, like so: ansible-playbook site. yml --vault-password-file ~/.


1 Answers

Ideally, each user should have their own private key which they use from the control server to access the deployment account. This way you can revoke someone's access much easier if they leave or no longer need access to run against servers. This also allows you to control which servers they run against.

To avoid being prompted for the SSH password every time use ssh-agent which caches the credentials in memory and avoids the prompt. I use this startup script in my setup and it works well.

It's not good security practice to commit your credentials to your source code repository (although I've done it too). Backing up your user's home directories on the ansible server protects the private keys from hard drive failure.

like image 145
Dave Snigier Avatar answered Sep 18 '22 13:09

Dave Snigier