Ricard,
You're mixing up public keys and private keys.
- James
On Monday, November 24, 2014 3:03:33 PM UTC-5, Ricard Clau wrote:
>
> Well, maybe I am doing something terribly stupid... these files will be
> stored in bitbucket / github as part of the ansible infrastructure repo so
> if someone got access to them they could use them to get access to our EC2
> instances, right?
>
> Definitely not as terrible as a database password but still
> concerning security-wise unless I am missing something
>
> And anyway, it was just an experiment, if vault only works for structured
> data files this is the explanation I was looking for, Cheers James
>
> El viernes, 21 de noviembre de 2014 18:51:04 UTC, James Martin escribió:
>>
>> ansible-vault only works for structured data files (yaml, json). Also,
>> out of curiosity, why bother encrypting public keys?
>>
>> - James
>>
>> On Friday, November 21, 2014 8:52:03 AM UTC-5, Ricard Clau wrote:
>>>
>>> Hi everyone
>>>
>>> I was having a problem earlier today in a playbook using vault crypted
>>> files.
>>> I managed to refactor it to make it work but anyway I wanted to know
>>> your feedback in case this is my misunderstanding on how these features
>>> work or maybe there is some bug
>>>
>>> So, I was trying to create a playbook that connects to all ec2 instances
>>> and adds some public keys to the ubuntu generic user.
>>>
>>> I started with a playbook looking like this:
>>>
>>> tasks:
>>> - name: Add authorized keys for super users
>>> authorized_key: user=ubuntu
>>> key="{{ item }}"
>>> with_file:
>>> - public_keys/user1
>>> - public_keys/user2
>>>
>>>
>>> Then I ran ansible-vault encrypt public_keys/* and when I re-run
>>> ansible-playbook providing the vault password the files were not being
>>> decrypted at runtime, so a key starting $ANSIBLE_VAULT; was trying to get
>>> added to the boxes and obviously the task was giving an error "msg:
>>> invalid key specified:"
>>>
>>> I started refactoring the task using something like:
>>>
>>> a file called defaults/public_keys.yml with this content:
>>>
>>> user1: publickey_foruser1_inlongstring
>>> user2: publickey_foruser2_inlongstring
>>>
>>> and refactored my playbook with:
>>>
>>> tasks:
>>> - include_vars: defaults/public_keys.yml
>>>
>>> - name: Add authorized keys for super users
>>> authorized_key: user=ubuntu
>>> key="{{ item }}"
>>> with_items:
>>> - "{{ user1 }}"
>>> - "{{ user2 }}"
>>>
>>> Then I run ansible-vault encrypt to the new public_keys.yml file and now
>>> it works flawlessly
>>>
>>> I assume this is related to the way vault decrypt is executed at runtime
>>> and not sure if this would be the expected behaviour or maybe the
>>> authorized_key task needs some internal refactor to allocate this case
>>> where the supplied files may be crypted.
>>>
>>> I would really appreciate any comments on this, even if I managed to
>>> work around it
>>>
>>> Best
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/6c5c3521-ec07-4577-861c-1503708d2352%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
