Menu
We have an ansible server setup with our ansible code stored in a git repos. All the servers configured by ansible currently use the SSH key from our control server for access. However I'd like to include the key in the ansible git repos instead (encrypted in the vault). I'd like to do this as:
1) If our ansible server ever got compromised/had a unrecoverable hard drive failure/some other failure, we wouldn't have to generate a new ssh key and copy it to each ansible server before we could run ansible tasks again
2) It feels like it should be in the repos, as it's part of the setup/config to access the servers
3) We have other data stored in the vault and having to enter one password for the vault, and another for a SSH passphrase is a pain
We looked at coding a custom task to do this by creating a temporary file on disk, but it kind of feels like it should be something built in. Also I like the way the built in decryption only holds files in ram. The other issue was we couldn't find a method that would guaranteed to be run in the case of a failure, and so clean up the temporary file we created (kind of like an ensure block in programming)
Is there a safe way to use a vaulted ssh key? Or failing that just a way to ask for the ssh passphrase upfront?
262
Ansible Vault can encrypt any structured data file used by Ansible. This can include “group_vars/” or “host_vars/” inventory variables, variables loaded by “include_vars” or “vars_files”, or variable files passed on the ansible-playbook command line with -e @file. yml or -e @file. json .
You can use the ansible-vault encrypt_string command for this. You'll be prompted to insert and then confirm the vault password. You can then start inserting the string value that you wish to encrypt. Press ctrl-d to end input.
To run a playbook containing an encrypted string, use the ansible-playbook command, adding the --ask-vault-pass option. In this example, you can ignore the warnings about valid hosts, because you're just testing an example playbook: $ ansible-playbook --ask-vault-pass ssh-config.
Storing the Password in a File Be careful with that file, and make sure that if it lives inside the project, it never gets into source control. To tell Ansible where to find this password file, include it in the command, like so: ansible-playbook site. yml --vault-password-file ~/.
Ideally, each user should have their own private key which they use from the control server to access the deployment account. This way you can revoke someone's access much easier if they leave or no longer need access to run against servers. This also allows you to control which servers they run against.
To avoid being prompted for the SSH password every time use ssh-agent which caches the credentials in memory and avoids the prompt. I use this startup script in my setup and it works well.
It's not good security practice to commit your credentials to your source code repository (although I've done it too). Backing up your user's home directories on the ansible server protects the private keys from hard drive failure.
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
