Well, maybe I am doing something terribly stupid... these files will be
stored in bitbucket / github as part of the ansible infrastructure repo so
if someone got access to them they could use them to get access to our EC2
instances, right?
Definitely not as terrible as a database password but still
concerning security-wise unless I am missing something
And anyway, it was just an experiment, if vault only works for structured
data files this is the explanation I was looking for, Cheers James
El viernes, 21 de noviembre de 2014 18:51:04 UTC, James Martin escribió:
>
> ansible-vault only works for structured data files (yaml, json). Also,
> out of curiosity, why bother encrypting public keys?
>
> - James
>
> On Friday, November 21, 2014 8:52:03 AM UTC-5, Ricard Clau wrote:
>>
>> Hi everyone
>>
>> I was having a problem earlier today in a playbook using vault crypted
>> files.
>> I managed to refactor it to make it work but anyway I wanted to know your
>> feedback in case this is my misunderstanding on how these features work or
>> maybe there is some bug
>>
>> So, I was trying to create a playbook that connects to all ec2 instances
>> and adds some public keys to the ubuntu generic user.
>>
>> I started with a playbook looking like this:
>>
>> tasks:
>> - name: Add authorized keys for super users
>> authorized_key: user=ubuntu
>> key="{{ item }}"
>> with_file:
>> - public_keys/user1
>> - public_keys/user2
>>
>>
>> Then I ran ansible-vault encrypt public_keys/* and when I re-run
>> ansible-playbook providing the vault password the files were not being
>> decrypted at runtime, so a key starting $ANSIBLE_VAULT; was trying to get
>> added to the boxes and obviously the task was giving an error "msg:
>> invalid key specified:"
>>
>> I started refactoring the task using something like:
>>
>> a file called defaults/public_keys.yml with this content:
>>
>> user1: publickey_foruser1_inlongstring
>> user2: publickey_foruser2_inlongstring
>>
>> and refactored my playbook with:
>>
>> tasks:
>> - include_vars: defaults/public_keys.yml
>>
>> - name: Add authorized keys for super users
>> authorized_key: user=ubuntu
>> key="{{ item }}"
>> with_items:
>> - "{{ user1 }}"
>> - "{{ user2 }}"
>>
>> Then I run ansible-vault encrypt to the new public_keys.yml file and now
>> it works flawlessly
>>
>> I assume this is related to the way vault decrypt is executed at runtime
>> and not sure if this would be the expected behaviour or maybe the
>> authorized_key task needs some internal refactor to allocate this case
>> where the supplied files may be crypted.
>>
>> I would really appreciate any comments on this, even if I managed to work
>> around it
>>
>> Best
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/40687bdb-38c1-4896-b3a7-dbb651465901%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
