You are totally right, even if they stole the public keys, without the
private key nothing can be done so I was effectively doing something quite
stupid :)
Best
El lunes, 24 de noviembre de 2014 20:17:04 UTC, James Martin escribió:
>
> Ricard,
>
> You're mixing up public keys and private keys.
>
> - James
>
> On Monday, November 24, 2014 3:03:33 PM UTC-5, Ricard Clau wrote:
>>
>> Well, maybe I am doing something terribly stupid... these files will be
>> stored in bitbucket / github as part of the ansible infrastructure repo so
>> if someone got access to them they could use them to get access to our EC2
>> instances, right?
>>
>> Definitely not as terrible as a database password but still
>> concerning security-wise unless I am missing something
>>
>> And anyway, it was just an experiment, if vault only works for structured
>> data files this is the explanation I was looking for, Cheers James
>>
>> El viernes, 21 de noviembre de 2014 18:51:04 UTC, James Martin escribió:
>>>
>>> ansible-vault only works for structured data files (yaml, json). Also,
>>> out of curiosity, why bother encrypting public keys?
>>>
>>> - James
>>>
>>> On Friday, November 21, 2014 8:52:03 AM UTC-5, Ricard Clau wrote:
>>>>
>>>> Hi everyone
>>>>
>>>> I was having a problem earlier today in a playbook using vault crypted
>>>> files.
>>>> I managed to refactor it to make it work but anyway I wanted to know
>>>> your feedback in case this is my misunderstanding on how these features
>>>> work or maybe there is some bug
>>>>
>>>> So, I was trying to create a playbook that connects to all ec2
>>>> instances and adds some public keys to the ubuntu generic user.
>>>>
>>>> I started with a playbook looking like this:
>>>>
>>>> tasks:
>>>> - name: Add authorized keys for super users
>>>> authorized_key: user=ubuntu
>>>> key="{{ item }}"
>>>> with_file:
>>>> - public_keys/user1
>>>> - public_keys/user2
>>>>
>>>>
>>>> Then I ran ansible-vault encrypt public_keys/* and when I re-run
>>>> ansible-playbook providing the vault password the files were not being
>>>> decrypted at runtime, so a key starting $ANSIBLE_VAULT; was trying to get
>>>> added to the boxes and obviously the task was giving an error "msg:
>>>> invalid key specified:"
>>>>
>>>> I started refactoring the task using something like:
>>>>
>>>> a file called defaults/public_keys.yml with this content:
>>>>
>>>> user1: publickey_foruser1_inlongstring
>>>> user2: publickey_foruser2_inlongstring
>>>>
>>>> and refactored my playbook with:
>>>>
>>>> tasks:
>>>> - include_vars: defaults/public_keys.yml
>>>>
>>>> - name: Add authorized keys for super users
>>>> authorized_key: user=ubuntu
>>>> key="{{ item }}"
>>>> with_items:
>>>> - "{{ user1 }}"
>>>> - "{{ user2 }}"
>>>>
>>>> Then I run ansible-vault encrypt to the new public_keys.yml file and
>>>> now it works flawlessly
>>>>
>>>> I assume this is related to the way vault decrypt is executed at
>>>> runtime and not sure if this would be the expected behaviour or maybe the
>>>> authorized_key task needs some internal refactor to allocate this case
>>>> where the supplied files may be crypted.
>>>>
>>>> I would really appreciate any comments on this, even if I managed to
>>>> work around it
>>>>
>>>> Best
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/32f6560e-8e78-4c29-8111-b30d9b35e1de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
