-
Notifications
You must be signed in to change notification settings - Fork 20
Ansible Vault
NOTE: This information has remained largely unchanged since the FanOut prototype. However, there is some useful detail here about working with sensitive information using Ansible's Vault feature. At the moment, the build/test/deploy process is in flux, so consider this information unstable (aside from how Vault works, etc.).
Ansible can be configured (and is in the ansible.cfg.template file) to forward user's SSH key for use on remote hosts. This works fine for running commands remotely where said key is authorized, but the situation becomes more complex when multiple users are involved. Consider the situation where Ansible is connecting as root or an admin user, but the application should be running under another user with lowered privileges. This non-admin user, especially if it's freshly created as part of a deployment process, won't have a key that is authorized to pull code from remote repositories.
Ansible has a feature called Ansible Vault, which can be used to encrypt Ansible YAML files. This includes private SSH keys. So, instead of keeping a copy of a private SSH key in the playbook repository, the key is stored with any other relevant variables in an encrypted YAML file. The file is decrypted when running associated playbooks using a passphrase.
ansible
playbooks roles
add-key
tasks
main.yml
vars
key.yml
ansible/playbooks/add-key/tasks/main.yml
- include_vars: vars/key.yml
- name: Ensure .ssh directory exists.
file:
dest: "{{ key_file | dirname }}"
mode: 0700
owner: fanout
group: fanout
state: directory
- name: Install ssh key
copy:
content: "{{ ssh_key }}"
dest: "{{ key_file }}"
mode: 0600
owner: fanout
group: fanoutssh_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
key_file: /home/user/.ssh/id_rsa$ ansible-vault create ansible/playbooks/vars/key.yml
$ ansible-vault modify ansible/playbooks/vars/key.yml$ ansible-playbook your-playbook.yml --ask-vault-passNOTE: You will be prompted for the passphrase when the playbook starts to run. If the value entered for the passphrase is wrong, the task that uses the decrypted data will fail.
Since this is an automated process, it's probably best to remove the key from the remote host after using it. Look at Ansible's file module for more details.