file in vault (ssh private key)
1,064 views
Skip to first unread message
Jeremy Schneider
Mar 5, 2014, 11:24:28 AM3/5/14
to ansible...@googlegroups.com
reading through vault docs, appears that it's designed to store variable contents. maybe this should be obvious to me but it isn't - so maybe someone can point me in the right direction. recommendation for the best way to store a file in vault?
my particular use case is an SSH private key file (password-less, used to enable jumping between servers in a cluster). normally i'd stick this in the files folder and use the copy module to push it.
-Jeremy
bryan hunt
Mar 5, 2014, 11:59:43 AM3/5/14
to ansible...@googlegroups.com
Jeremy,
I'd have suggested using SSH agent forwarding. If it worked. This is a classic example of where it should be used.
Bryan
I'd have suggested using SSH agent forwarding. If it worked. This is a classic example of where it should be used.
Bryan
Jeremy Schneider
Mar 5, 2014, 12:11:50 PM3/5/14
to ansible...@googlegroups.com
On Wed, Mar 5, 2014 at 10:59 AM, bryan hunt <picsol...@gmail.com> wrote:
I'd have suggested using SSH agent forwarding. If it worked. This is a classic example of where it should be used.
we do use agent port forwarding for administrators. however there is a separate requirement for each cluster to have it's own passwordless private key that is used for some other tasks within the cluster.
-J
Michael DeHaan
Mar 5, 2014, 3:15:39 PM3/5/14
to ansible...@googlegroups.com
Yes it is for variable files of all sorts and can also be used on task files or handlers -- anything YAML or JSON
-- Michael
-- Michael
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8b63043d-aa8a-434f-a3cb-acdce2ac67b9%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Jan-Piet Mens
Mar 5, 2014, 3:25:55 PM3/5/14
to ansible...@googlegroups.com
> my particular use case is an SSH private key file (password-less, used to
> enable jumping between servers in a cluster). normally i'd stick this in
> the files folder and use the copy module to push it.
A bit convoluted maybe, but base64-encode the file, and add it to a YAML
> enable jumping between servers in a cluster). normally i'd stick this in
> the files folder and use the copy module to push it.
vars file which is then put into ansible-vault?
$ echo "myfile: $(openssl enc -a -A -in filename)" > vars.yml
myfile: aGVsbG8Kd29ybGQKaGVsbG8Kd29ybGQKaGVsbG8Kd29ybGQKaGVsbG8Kd29ybGQKaGVsbG8Kd29ybGQK
-JP
Jeremy Schneider
Mar 5, 2014, 3:38:44 PM3/5/14
to ansible...@googlegroups.com
i believe that openssh private key files are already text encoded; it looks this way on my servers. this approach had occurred to me also - but can I write a simple, elegant task to get this variable into the file on the hosts? that's the part that wasn't obvious to me.
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/i31-qVAv4JM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20140305202555.GA21165%40tiggr.ww.mens.de.
Jan-Piet Mens
Mar 5, 2014, 4:45:16 PM3/5/14
to ansible...@googlegroups.com
> i believe that openssh private key files are already text encoded; it looks
> this way on my servers. this approach had occurred to me also - but can I
> write a simple, elegant task to get this variable into the file on the
> hosts? that's the part that wasn't obvious to me.
They are text-encoded, but not as a single line, which my version does;
> this way on my servers. this approach had occurred to me also - but can I
> write a simple, elegant task to get this variable into the file on the
> hosts? that's the part that wasn't obvious to me.
it looks better to me in a vars file, though you may be able to
shoehorn multiline strings into YAML. :)
As for extraction, maybe the following could work (untested!) It
decodes the base64-encoded string (-d) and writes it to the specified
destination.
- action: shell echo "{{ myfile }}" | openssl enc -d -a -out {{ destfile }}
-JP
Brian Coca
Mar 5, 2014, 4:47:39 PM3/5/14
to ansible...@googlegroups.com
why not encrypt the file itself? ansible-vault shoudl be able to handle it.
--
Brian Coca
Stultorum infinitus est numerus
0110000101110010011001010110111000100111011101000010000001111001011011110111010100100000011100110110110101100001011100100111010000100001
Brian Coca
Stultorum infinitus est numerus
0110000101110010011001010110111000100111011101000010000001111001011011110111010100100000011100110110110101100001011100100111010000100001
Pedo mellon a minno
Jeremy Schneider
Mar 5, 2014, 5:10:30 PM3/5/14
to ansible...@googlegroups.com
On Wed, Mar 5, 2014 at 3:47 PM, Brian Coca <bria...@gmail.com> wrote:
why not encrypt the file itself? ansible-vault should be able to handle it.
I thought ansible-vault could only encrypt yaml and json files?
On Wed, Mar 5, 2014 at 3:45 PM, Jan-Piet Mens <jpm...@gmail.com> wrote:
As for extraction, maybe the following could work (untested!) Itdecodes the base64-encoded string (-d) and writes it to the specified
destination.
- action: shell echo "{{ myfile }}" | openssl enc -d -a -out {{ destfile }}
It would work but it's not elegant imho - largely because it can't detect whether the file needs to be changed; it can just run or not run and it'll overwrite whatever's in the file. unlike a copy or template directive which can look inside and even do a diff.
-J
Michael DeHaan
Mar 5, 2014, 5:50:39 PM3/5/14
to ansible...@googlegroups.com
It can encrypt more but ansible (not the vault CLI) itself will only decrypt data files.
It's not really meant for arbitrary files.
-- Michael
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BfnDAYO-nxwGy5P6FBq9H7dVvO5PLn39v1%2Bwuhhc3hznY5krg%40mail.gmail.com.
Stan Hu
Mar 5, 2014, 6:14:47 PM3/5/14
to ansible...@googlegroups.com
Is there a reason why the file modules shouldn't be modified to decrypt data with the vault password?
Jeremy, I don't see an elegant way to do what you want right now. I've resorted to importing a key file as an encrypted configuration variable and then using the 'echo' command to write it out until there is a better way.
Michael DeHaan
Mar 6, 2014, 11:05:16 AM3/6/14
to ansible...@googlegroups.com
I'm not against teaching the copy/template module to support encrypted sources.
VaultLib is pretty abstract at this point so this would be an easy addition.
--Michael
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bb5b9c95-378b-4a3f-9e73-1d8235af3524%40googlegroups.com.
bryan hunt
Mar 28, 2014, 8:25:45 AM3/28/14
to ansible...@googlegroups.com
I'd like to take this back, ssh agent forwarding does work. I have discovered that it only fails when used by the git module. Running commands which use ssh from Ansible does work.
Reply all
Reply to author
Forward
0 new messages