Where does this "user_key" originate from?
On Mon, 7 Aug 2023 at 13:03, Veera <[email protected]> wrote:
>
> In a playbook , I gathered the user key into the variable "user_key" and
> using a add_host module to login to the server and execute the required
> tasks .
>
> - name: Writing the key to a file
> ansible.builtin.copy:
> content: "{{ user_key }}"
> dest: /tmp/new_inst.pem
> mode: '0600'
> follow: yes
> register: keyfile
>
>
> - name: create a temp inventory
> ansible.builtin.add_host:
> hostname: '{{ servera }}'
> groups: mygroup
> ansible_ssh_private_key_file: "{{ keyfile.dest }}"
> ansible_ssh_user: "root"
Are you sure this is necessary? What about an unpriviliged user + sudo?
> ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
>
> - name: validate the httpd in new hosts
> hosts: mygroup
> gather_facts: true
> become: yes
> environment:
> ANSIBLE_HOST_KEY_CHECKING: "False"
> tasks:
> - name: Start service httpd, if not started
> service:
> name: httpd
> state: started
>
> All works fine using the above.
> However is there an option to read the content of the key directly , read
> the contents of the keyfile to the add_host module with something like
> "ansible_ssh_private_key" ??
> I want to avoid writing the key to a file, chmod 600 and then remove it
> after execution.
Also, I think if you write the key to the filesystem, and then later
remove it, it is not really gone, but merely unlinked.
So that is an extra reason to careful to handle the user's private key
data that way.
> Also , is there a way to read the variable "user_key" when manually feed
> during the ansible-playbook command , like for the same above codes usage .
>
> # ansible-playbook playbook -e "user_key={{ssh_content}}"
> where ssh_content is a python variable which have the exact key_value
> details from another program output .
Are you sure you want to use sensitive materials like that? I think
this will leak the content into the shell history, process output etc.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLaRdAQUV%3D_92KA4AnzEXcFG2%3Ds9QVF%3DPNR2odP7ay0VPA%40mail.gmail.com.
