Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to use Ansible authorized_key exclusive with multiple keys?

I'm fairly new in using Ansible and have been reading here and google and haven't found an answer yet.

My scenario is that I have 1 user on a server but 2-3 different pub keys that need to put in it's authorized_keys file.

I can successfully remove all keys, or add all keys with this script:

---
  - hosts: all

 tasks:
  - name: update SSH keys
    authorized_key:
     user: <user>
     key: "{{ lookup('file', item) }}"
     state: present
     #exclusive: yes
    with_fileglob:
      - ../files/pub_keys/*.pub

With the present flag it reads and adds all the keys. With the absent flag it removes all keys listed.

Problem is that I have an old key that is only on the server and I want to remove/overwrite it and for future deployments overwrite any unauthorized keys that might be on the server and not in my playbook.

With the exclusive flag it only takes the last key and adds it. This would be fantastic if it would loop and recusively add all the keys. If there is a way to do this in Ansible I have not found it.

Is there any way to loop over pub files and use the exclusive option at the same time?

like image 805
Valien Avatar asked Aug 10 '16 16:08

Valien


3 Answers

Is there any way to loop over pub files and use the exclusive option at the same time?

No. There is a note about loops and exclusive in the docs:

exclusive: Whether to remove all other non-specified keys from the authorized_keys file. Multiple keys can be specified in a single key string value by separating them by newlines. This option is not loop aware, so if you use with_ , it will be exclusive per iteration of the loop, if you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above.

So you need to join all your keys and send all them at once.
Something like this:

- name: update SSH keys
  authorized_key:
    user: <user>
    key: "{{ lookup('pipe','cat ../files/pub_keys/*.pub') }}"
    state: present
    exclusive: yes

Check this code before running in production!

like image 78
Konstantin Suvorov Avatar answered Oct 08 '22 17:10

Konstantin Suvorov


If you want to avoid the pipe lookup (e.g., because the path is not relative to the role), you can also use a combination of file and fileglob lookups:

- name: update SSH keys
  authorized_key:
    user: <user>
    key:  "{% for key in lookup('fileglob', 'pub_keys/*.pub').split(',') %}{{ lookup('file', key) ~ '\n'}}{% endfor %}"
    state: present
    exclusive: yes
like image 36
morxa Avatar answered Oct 08 '22 16:10

morxa


If your keep your users inside a variable you might use this:

---

- hosts: all
  vars_files:
    - roles/users/vars/main.yml
  tasks:
    - name: Allow other users to login to the account
      authorized_key:
        user: user_name
        exclusive: yes
        key: "{{ developers|map(attribute='publish_ssh_key')|join('\n') }}"

The roles/users/vars/main.yml looks like this:

---

developers:
  - name: user1
    publish_ssh_key: ssh-rsa AAAA...
  - name: user2
    publish_ssh_key: ssh-rsa AAAA...
like image 5
czerasz Avatar answered Oct 08 '22 15:10

czerasz