ansible-vault only works for structured data files (yaml, json). Also, out
of curiosity, why bother encrypting public keys?
- James
On Friday, November 21, 2014 8:52:03 AM UTC-5, Ricard Clau wrote:
>
> Hi everyone
>
> I was having a problem earlier today in a playbook using vault crypted
> files.
> I managed to refactor it to make it work but anyway I wanted to know your
> feedback in case this is my misunderstanding on how these features work or
> maybe there is some bug
>
> So, I was trying to create a playbook that connects to all ec2 instances
> and adds some public keys to the ubuntu generic user.
>
> I started with a playbook looking like this:
>
> tasks:
> - name: Add authorized keys for super users
> authorized_key: user=ubuntu
> key="{{ item }}"
> with_file:
> - public_keys/user1
> - public_keys/user2
>
>
> Then I ran ansible-vault encrypt public_keys/* and when I re-run
> ansible-playbook providing the vault password the files were not being
> decrypted at runtime, so a key starting $ANSIBLE_VAULT; was trying to get
> added to the boxes and obviously the task was giving an error "msg:
> invalid key specified:"
>
> I started refactoring the task using something like:
>
> a file called defaults/public_keys.yml with this content:
>
> user1: publickey_foruser1_inlongstring
> user2: publickey_foruser2_inlongstring
>
> and refactored my playbook with:
>
> tasks:
> - include_vars: defaults/public_keys.yml
>
> - name: Add authorized keys for super users
> authorized_key: user=ubuntu
> key="{{ item }}"
> with_items:
> - "{{ user1 }}"
> - "{{ user2 }}"
>
> Then I run ansible-vault encrypt to the new public_keys.yml file and now
> it works flawlessly
>
> I assume this is related to the way vault decrypt is executed at runtime
> and not sure if this would be the expected behaviour or maybe the
> authorized_key task needs some internal refactor to allocate this case
> where the supplied files may be crypted.
>
> I would really appreciate any comments on this, even if I managed to work
> around it
>
> Best
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/549acebb-bd8f-4e93-b187-70c184f65653%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
