It seems better to password protect the key itself IMHO. That way it's still secure even outside of vault, and you can just use the file lookup to pass to the authorized key module.
You can also then use the more obvious "copy" module to move the files around. On Fri, Jul 25, 2014 at 11:12 AM, Ben Stokes <[email protected]> wrote: > I'm trying to store ssh private keys in variables in a vault-protected > file, and I'm having problems. The issue is with the variables spanning > many lines, when they are injected during the playbook run, on the > destination server they end up in a mangled format or the playbook crashes > out. So for example, in my vars file (this is a key I just generated and > deleted to demo it here): > > id_dsa: "-----BEGIN DSA PRIVATE KEY----- > MIIBuwIBAAKBgQC4ZqbQspFVSqjJmLbyve+5/NG0oGLa6GMd3pctilZkUcyld/k+ > j07TROjQLsSbDiweUa5HKBVSTuoHSLAq7V8vr3DSV2T/bX325STgo/0vkIJeZmcr > 1eZiBQyPRMtbVORxbfBI94ofL52C381eRxNhNgr27FUxJPaP0AelmrNtHwIVAI4R > MwoEbRbqBFzwC1lPvV4XrkU3AoGANSGsM0gWzFDUL3o3KpKbGehfAXdKDjGms3FN > r9itrMVy1klErQ9GHOeyGRD+Pkr4LDP7CUELpR58/Yv9358tkkffSpHqstuvgX1k\n > I12214Wk/VqjOBaQhZDa6FwM3wrPAztGAZChvj5BdRQDqh77x9ljBWE8psfZ+TRe > SBvMQ7cCgYAOUWMQdc3RYc/+HuKf8d0ke5ecFXSnpkrNt0spJdviMl0ui8n6aPOy > rP/5FGpzR8to8/xGnpD6RdEFuSTABDHR85Y9pLmts1Zf1ctGMcxXiPsjunHfX/GI > fc6sVh556dgAf7a33aEPjqw7Ll+q9rTq6OFSgL14B1y8Gs2EbyjH6AIVAIQndtm5 > YhlFBaJk02PRX3zKorL6 > -----END DSA PRIVATE KEY-----" > > in my playbook: > > - name: push out ssh private keys > shell: 'echo -e "{{ item.value }}" > /home/hcom/.ssh/{{ item.name }}' > with_items: > - { name: "id_dsa", value: "{{ id_dsa }}" } > - { name: "id_rsa", value: "{{ id_rsa }}" } > > I've tried adding \n on the end of each line in my key, I've also tried > all on one line with \n separators. > > I'm getting this error: > > fatal: [127.0.0.1] => A variable inserted a new parameter into the module > args. Be sure to quote variables if they contain equal signs (for example: > "{{var}}"). > > Any pointers would be cheerfully accepted. I'm interested to hear how > others have tackled this issue. > > Thanks > Ben > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/50513536-19a8-410a-ac63-e866a0601d82%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/50513536-19a8-410a-ac63-e866a0601d82%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgwezt_-Sq-w1g5rxtj58Yrny13DXzM%3DoCEfS9g%2BW23MTQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
