ok finally got it working. Thanks all for your help
---
# tasks file for createuser
- include_vars:
dir: vars
#- name: copy id_rsa.pub to tmp for reading
#ansible.builtin.shell:
# cmd: "{{ command2 }}"
#register: shell_output
#become: true
#delegate_to: localhost
- name: read id_rsa.pub
slurp:
path: "{{ authorized_key }}"
become: yes
delegate_to: localhost
register: rke_pub_key
- name: create user rke
ansible.builtin.user:
name: '{{ username }}'
shell: '{{ shell }}'
generate_ssh_key: yes
create_home: yes
groups: [ "{{ group1 }}", "{{ group2 }}" ]
append: yes
ssh_key_file: .ssh/id_rsa
become: true
- name: Make sure we have a 'wheel' group
group:
name: wheel
state: present
- name: Allow 'wheel' group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
- name: Setup authkeys for user rke
become: true
authorized_key:
user: '{{ username }}'
state: present
* key: "{{ rke_pub_key['content'] | b64decode }}"*
validate_certs: false
On Fri, Jul 22, 2022 at 3:02 PM Tony Wong <[email protected]> wrote:
> ok now getting different error
>
>
>
> ASK [rancherpocreplay : Setup authkeys for user rke]
> ************************************************************************************************************************
> [WARNING]: The value {'content':
> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZzNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI
>
> 0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdWVrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVt
>
> VVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2QzbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT
>
> 2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0rOFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3
> g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhdGVkIG9uIGs4Z3VpCg==',
> 'source': '/home/rke/.ssh/id_rsa.pub', 'changed':
> False, 'encoding': 'base64', 'failed': False} (type dict) in a string
> field was converted to u"{'content':
> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZ
>
> zNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdW
>
> VrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVtVVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2Q
>
> zbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0r
>
> OFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhd
> GVkIG9uIGs4Z3VpCg==', 'source': '/home/rke/.ssh/id_rsa.pub', 'changed':
> False, 'encoding': 'base64', 'failed': False}" (type string). If this does
> not look like what you
> expect, quote the entire value to ensure it does not change.
> fatal: [k8node01]: FAILED! => {"changed": false, "msg": "invalid key
> specified: {'content':
> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZzNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdWVrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVtVVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2QzbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0rOFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhdGVkIG9uIGs4Z3VpCg==',
> 'source': '/home/rke/.ssh/id_rsa.pub', 'changed': False, 'encoding':
> 'base64', 'failed': False}"}
> fatal: [k8node02]: FAILED! => {"changed": false, "msg": "invalid key
> specified: {'content':
> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZzNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdWVrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVtVVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2QzbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0rOFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhdGVkIG9uIGs4Z3VpCg==',
> 'source': '/home/rke/.ssh/id_rsa.pub', 'changed': False, 'encoding':
> 'base64', 'failed': False}"}
> fatal: [k8master]: FAILED! => {"changed": false, "msg": "invalid key
> specified: {'content':
> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZzNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdWVrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVtVVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2QzbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0rOFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhdGVkIG9uIGs4Z3VpCg==',
> 'source': '/home/rke/.ssh/id_rsa.pub', 'changed': False, 'encoding':
> 'base64', 'failed': False}"}
>
> I
>
> On Fri, Jul 22, 2022 at 1:28 PM Todd Lewis <[email protected]> wrote:
>
>> The error message is pretty clear: the command module doesn't have a
>> "cmd" parameter. (Then it helpfully lists the parameters it does have.)
>> You could say
>>
>> ansible.builtin.shell: "{{ command2 }}"
>>
>> But Brian already gave you a solution, which I'll repeat here:
>> You either need to run ansible-playbook as a user with permissions (rke,
>> root?)
>> or use a task to read the file while using privilege escalation (become):
>> - slurp:
>> path: , '*/home/rke/*.ssh/id_rsa.pub'
>> become: yes
>> delegate_to: localhost
>> register: rke_pub_key
>> This is the equivalent of you doing `sudo cat */home/rke/*
>> .ssh/id_rsa.pub'
>> (lookups always run 'locally and are not affected by become, which only
>> affects the 'remote' side of a task).
>>
>>
>>
>> On Friday, July 22, 2022 at 2:06:55 PM UTC-4 [email protected] wrote:
>>
>>>
>>> trying to do this another way
>>>
>>> - name: copy id_rsa.pub to tmp for reading on localhost
>>> ansible.builtin.shell:
>>> cmd: "{{ command2 }}"
>>> register: shell_output
>>> become: true
>>> delegate_to: localhost
>>>
>>>
>>> where command2 is 'cp /home/rke/.ssh/id_rsa.pub /tmp'
>>>
>>> I am trying to run this only on the ansible controller (localhost)
>>>
>>> but it looks like its trying to run on remote nodes
>>>
>>>
>>> fatal: [k8node02 -> localhost]: FAILED! => {"changed": false, "msg":
>>> "Unsupported parameters for (command) module: cmd Supported parameters
>>> include: _raw_params, _uses_shell, argv, chdir, creates, executable,
>>> removes, stdin, stdin_add_newline, strip_empty_ends, warn"}
>>> fatal: [k8master -> localhost]: FAILED! => {"changed": false, "msg":
>>> "Unsupported parameters for (command) module: cmd Supported parameters
>>> include: _raw_params, _uses_shell, argv, chdir, creates, executable,
>>> removes, stdin, stdin_add_newline, strip_empty_ends, warn"}
>>> fatal: [k8node01 -> localhost]: FAILED! => {"changed": false, "msg":
>>> "Unsupported parameters for (command) module: cmd Supported parameters
>>> include: _raw_params, _uses_shell, argv, chdir, creates, executable,
>>> removes, stdin, stdin_add_newline, strip_empty_ends, warn"}
>>>
>>>
>>> any idea?
>>> On Thursday, July 21, 2022 at 9:42:44 AM UTC-7 Tony Wong wrote:
>>>
>>>> do you mean something like this?
>>>>
>>>>
>>>> ---
>>>> # tasks file for createuser
>>>> - include_vars:
>>>> dir: vars
>>>>
>>>>
>>>>
>>>>
>>>> *- name: Get id_rsa.pub from localhost set_fact: auth_key: "{{
>>>> lookup('file', '/home/rke/.ssh/id_rsa.pub')}}" delegate_to: localhost*
>>>>
>>>> - name: create user rke
>>>> ansible.builtin.user:
>>>> name: '{{ username }}'
>>>> shell: '{{ shell }}'
>>>> generate_ssh_key: yes
>>>> create_home: yes
>>>> groups: [ "{{ group1 }}", "{{ group2 }}" ]
>>>> append: yes
>>>> ssh_key_file: .ssh/id_rsa
>>>> become: true
>>>>
>>>> - name: Make sure we have a 'wheel' group
>>>> group:
>>>> name: wheel
>>>> state: present
>>>>
>>>> - name: Allow 'wheel' group to have passwordless sudo
>>>> lineinfile:
>>>> dest: /etc/sudoers
>>>> state: present
>>>> regexp: '^%wheel'
>>>> line: '%wheel ALL=(ALL) NOPASSWD: ALL'
>>>> validate: 'visudo -cf %s'
>>>>
>>>>
>>>> - name: Setup authkeys for user rke
>>>> become: true
>>>>
>>>> authorized_key:
>>>> user: '{{ username }}'
>>>> state: present
>>>> key: auth_key
>>>>
>>>>
>>>>
>>>> On Thu, Jul 21, 2022 at 7:48 AM Dick Visser <[email protected]> wrote:
>>>>
>>>>> On Thu, 21 Jul 2022 at 16:32, Tony Wong <[email protected]> wrote:
>>>>> >
>>>>> > yes it does, but the user (ansible) i am running the playbook with
>>>>> even though it has sudo rights and in root group cant access that folder.
>>>>>
>>>>>
>>>>> Your authorized_keys task is run on the remote host, but using the
>>>>> lookup/file plugin in one of the arguments doesn't allow for privilege
>>>>> escalation locally.
>>>>> I think for fetching the materials, you should have an initial
>>>>> set_fact task with delegate_to=localhost and set become=true on that.
>>>>>
>>>>> (not verified)
>>>>>
>>>>>
>>>>>
>>>>> > i tried to copy the id_rsa.pub to /tmp and it works
>>>>> >
>>>>> > On Thu, Jul 21, 2022 at 7:10 AM John Petro <[email protected]>
>>>>> wrote:
>>>>> >>
>>>>> >> Does /home/rke/.ssh/id_pub.rsa exist on the host you are running
>>>>> the ansible playbook from? Also, what happens if you try to do a ls on
>>>>> that directory as the user that is executing the ansible playbook, are you
>>>>> getting any errors?
>>>>> >>
>>>>> >> On Thu, Jul 21, 2022 at 9:09 AM Tony Wong <[email protected]>
>>>>> wrote:
>>>>> >>>
>>>>> >>> [WARNING]: Unable to find '/home/rke/.ssh/id_pub.rsa' in expected
>>>>> paths (use -vvvvv to see paths)
>>>>> >>> fatal: [k8master]: FAILED! => {"msg": "An unhandled exception
>>>>> occurred while running the lookup plugin 'file'. Error was a <class
>>>>> 'ansible.errors.AnsibleError'>, original message: could not locate file in
>>>>> lookup: /home/rke/.ssh/id_pub.rsa"}
>>>>> >>> [WARNING]: Unable to find '/home/rke/.ssh/id_pub.rsa' in expected
>>>>> paths (use -vvvvv to see paths)
>>>>> >>> fatal: [k8node01]: FAILED! => {"msg": "An unhandled exception
>>>>> occurred while running the lookup plugin 'file'. Error was a <class
>>>>> 'ansible.errors.AnsibleError'>, original message: could not locate file in
>>>>> lookup: /home/rke/.ssh/id_pub.rsa"}
>>>>> >>> [WARNING]: Unable to find '/home/rke/.ssh/id_pub.rsa' in expected
>>>>> paths (use -vvvvv to see paths)
>>>>> >>> fatal: [k8node02]: FAILED! => {"msg": "An unhandled exception
>>>>> occurred while running the lookup plugin 'file'. Error was a <class
>>>>> 'ansible.errors.AnsibleError'>, original message: could not locate file in
>>>>> lookup: /home/rke/.ssh/id_pub.rsa"}
>>>>> >>>
>>>>> >>> On Thu, Jul 21, 2022 at 5:32 AM Tony Wong <[email protected]>
>>>>> wrote:
>>>>> >>>>
>>>>> >>>> how do i access to lookup the id_rsa.pub file? The user running
>>>>> ansible playbook has sudo rights on the controller
>>>>> >>>>
>>>>> >>>> On Wed, Jul 20, 2022 at 4:31 PM Todd Lewis <[email protected]>
>>>>> wrote:
>>>>> >>>>>
>>>>> >>>>> It would have root access — on the target machine, but not on
>>>>> the Ansible controller.
>>>>> >>>>>
>>>>> >>>>> On Wednesday, July 20, 2022 at 6:24:24 PM UTC-4
>>>>> [email protected] wrote:
>>>>> >>>>>>
>>>>> >>>>>> But I used become: in my main.yml
>>>>> >>>>>>
>>>>> >>>>>> Would that have root access?
>>>>> >>>>>
>>>>> >>>>> --
>>>>> >>>>> You received this message because you are subscribed to a topic
>>>>> in the Google Groups "Ansible Project" group.
>>>>> >>>>> To unsubscribe from this topic, visit
>>>>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe
>>>>> .
>>>>> >>>>> To unsubscribe from this group and all its topics, send an email
>>>>> to [email protected].
>>>>> >>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/ansible-project/420506bd-39ce-4cc5-b6c5-58a65b3a3e3bn%40googlegroups.com
>>>>> .
>>>>> >>>
>>>>> >>> --
>>>>> >>> You received this message because you are subscribed to the Google
>>>>> Groups "Ansible Project" group.
>>>>> >>> To unsubscribe from this group and stop receiving emails from it,
>>>>> send an email to [email protected].
>>>>> >>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/ansible-project/CALmkhkohoHcMf3KBDbprOgPPZkyQTvALAyH%2Bov%2Bnr_OcCz1koA%40mail.gmail.com
>>>>> .
>>>>> >>
>>>>> >> --
>>>>> >> You received this message because you are subscribed to a topic in
>>>>> the Google Groups "Ansible Project" group.
>>>>> >> To unsubscribe from this topic, visit
>>>>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe
>>>>> .
>>>>> >> To unsubscribe from this group and all its topics, send an email to
>>>>> [email protected].
>>>>> >> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/ansible-project/CAPAjob8Kz3CmwXpnREAMYW_omF0J5HuEz5UtMACrSG7sMnSitw%40mail.gmail.com
>>>>> .
>>>>> >
>>>>> > --
>>>>> > You received this message because you are subscribed to the Google
>>>>> Groups "Ansible Project" group.
>>>>> > To unsubscribe from this group and stop receiving emails from it,
>>>>> send an email to [email protected].
>>>>> > To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/ansible-project/CALmkhkq3tKEwQ8nSBT4Nu1kwCp%2BZAYVrYvozUQ5MFLTMkL_yNQ%40mail.gmail.com
>>>>> .
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to a topic in the
>>>>> Google Groups "Ansible Project" group.
>>>>> To unsubscribe from this topic, visit
>>>>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe
>>>>> .
>>>>> To unsubscribe from this group and all its topics, send an email to
>>>>> [email protected].
>>>>>
>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/ansible-project/CAF8BbLZVQZ5qdJSLjnxHoTirc9rzPqtUuLHEd52Bg2tAYUEbeg%40mail.gmail.com
>>>>> .
>>>>>
>>>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Ansible Project" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/8c50e7fd-a866-4e41-b49f-cee4cf39af48n%40googlegroups.com
>> <https://groups.google.com/d/msgid/ansible-project/8c50e7fd-a866-4e41-b49f-cee4cf39af48n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CALmkhkp_Xf5AsHiXpYuc8PC83GwRB596z4cFn7_Vj6heOiQg6w%40mail.gmail.com.
