[ansible-project] Some doubts / problems about ansible-playbook with ansible-vault crypted files

[Ricard Clau]

Hi everyone

I was having a problem earlier today in a playbook using vault crypted 
files. 
I managed to refactor it to make it work but anyway I wanted to know your 
feedback in case this is my misunderstanding on how these features work or 
maybe there is some bug

So, I was trying to create a playbook that connects to all ec2 instances 
and adds some public keys to the ubuntu generic user.

I started with a playbook looking like this:

  tasks:
    - name: Add authorized keys for super users
      authorized_key: user=ubuntu
                      key="{{ item }}"
      with_file:
         - public_keys/user1
         - public_keys/user2


Then I ran ansible-vault encrypt public_keys/* and when I re-run 
ansible-playbook providing the vault password the files were not being 
decrypted at runtime, so a key starting $ANSIBLE_VAULT; was trying to get 
added to the boxes and obviously the task was giving an error "msg: invalid 
key specified:"

I started refactoring the task using something like:

a file called defaults/public_keys.yml with this content:

user1: publickey_foruser1_inlongstring
user2: publickey_foruser2_inlongstring

and refactored my playbook with:

  tasks:
    - include_vars: defaults/public_keys.yml

    - name: Add authorized keys for super users
      authorized_key: user=ubuntu
                      key="{{ item }}"
      with_items:
        - "{{ user1 }}"
        - "{{ user2 }}"

Then I run ansible-vault encrypt to the new public_keys.yml file and now it 
works flawlessly

I assume this is related to the way vault decrypt is executed at runtime 
and not sure if this would be the expected behaviour or maybe the 
authorized_key task needs some internal refactor to allocate this case 
where the supplied files may be crypted.

I would really appreciate any comments on this, even if I managed to work 
around it

Best

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a0419f0f-4382-42c1-beda-8bc3c1e0b7cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.