Default code to add public ssh key fails

Hello!
im new to AWX.
I have for testing everything in a GitHub Repo.

Im evaluating the playbook from here with adding via git url:

---
- name: Set authorized keys
  hosts: all
  gather_facts: false
  
  tasks:
    - name: Set authorized keys taken from url
      ansible.posix.authorized_key:
        user: charlietteeiiiaaste
        state: present
        key: https://github.com/gsg-git/awx_pub/blob/main/awxtestpub

But it fails when i deploy it to a test Ubuntu 22 VM:
It states the public key is invalid.
Here is the Key:

grafik621×379 15 KB

Can you add public keys in credentials and use them locally?
Where would they be ?
You just cant poke around the AWC Docker Compose i got told.

Thank you in davanve!

@gothsome Hello again!

Are the Playbook and awxtestpub exsit same repository?

If so, how about bellow Playbook?

---
- name: Set authorized keys
  hosts: all
  gather_facts: false
  
  tasks:
    - name: Set authorized keys taken from url
      ansible.posix.authorized_key:
        user: root
        state: present
        key: : "{{ lookup('file', 'awxtestpub') }}"
        validate_certs: false

Yeah i have just everything at the same repo in one folder:

grafik755×546 35.6 KB

It doesnt like mapping values there.

Syntax Error while loading YAML.
  mapping values are not allowed in this context

Sorry.

There was a typo.

Corrected example.

---
- name: Set authorized keys
  hosts: all
  gather_facts: false
  
  tasks:
    - name: Set authorized keys taken from url
      ansible.posix.authorized_key:
        user: root
        state: present
        key: "{{ lookup('file', 'awxtestpub') }}"
        validate_certs: false

Now it seems it loaded the key content ut still isnt happy about it:

fatal: [192.168.151.237]: FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "invocation": {
        "module_args": {
            "comment": null,
            "exclusive": false,
            "follow": false,
            "key": "---- BEGIN SSH2 PUBLIC KEY ----\\r\\nComment: \\"rsa-key-20240206\\"\\r\\nAAAAB3NzaC1yc2EAAAADAQABAAABAQDKp5WjU+MEOBSeyqcDW48u5cOeInmiA5bm\\r\\nSe99Nxo8QdBZ8AkyLreDQ37NXdacxziEEWknl+bcMwOGRDvQab8l8WGjn22vQsXM\\r\\nDprFPkh4eY6aEwHjdbAmpy0z0jRWyWV6MClUBrBoD1wHn3YdKYevRGPRaajwz8Ec\\r\\nwHbad5rGM9TH46V71ZGFebHyv3+KZe966+6m9y+xv0RRVGpu3lCCJTosqIwQDixu\\r\\n1pwmJz4uyWhkBmviZ+ioW+d6L+VjzsbIxAsLp1a3qR2UbimUzgMMoMfDVir2B3nf\\r\\nTEqj0Zn7ut1Mj+URL9OaLf0oIR7H5JZ33Q0E3LdWB4cngbwF+Fof\\r\\n---- END SSH2 PUBLIC KEY ----",
            "key_options": null,
            "keyfile": "/root/.ssh/authorized_keys",
            "manage_dir": true,
            "path": null,
            "state": "present",
            "user": "root",
            "validate_certs": false
        }
    },
    "msg": "invalid key specified: ---- BEGIN SSH2 PUBLIC KEY ----"
}

Sadly its a imortant featue i have to get to run

You could convert to the supported format:

    - name: convert RFC4716 key to OpenSSH-compat
      debug: msg="{{ lookup('pipe', 'ssh-keygen -i -m RFC4716 -f ' + key_path) }}"

Yeah i had this issue with Ansible - i had to convert the key to the openssh format in puttygen, but i could just export the private one so i thought its not possible - thank you i will try

I tested to convert the Key with -m RFC4716/PKCS8 but still invalid key specified i try to add the lines to convert in the playbook and try again but the samen.
Even with a new generated key.

Could you provide actual playbook you’ve tried to convert keys?

If your screenshot was accurate, converting seems to work for me.

The key file contains:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20240206"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDKp5WjU+MEOBSeyqcDW48u5cOeInmiA5bm
Se99Nxo8QdBZ8AkyLreDQ37NXdacxziEEWknl+bcMwOGRDvQab8l8WGjn22vQsXM
DprFPkh4eY6aEwHjdbAmpy0z0jRWyWV6MClUBrBoD1wHn3YdKYevRGPRaajwz8Ec
wHbad5rGM9TH46V71ZGFebHyv3+KZe966+6m9y+xv0RRVGpu3lCCJTosqIwQDixu
1pwmJz4uyWhkBmviZ+ioW+d6L+VjzsbIxAsLp1a3qR2UbimUzgMMoMfDVir2B3nf
TEqj0Zn7ut1Mj+URL9OaLf0oIR7H5JZ33Q0E3LdWB4cngbwF+Fof
---- END SSH2 PUBLIC KEY ----

Playbook contains:

- hosts: all
  gather_facts: no
  vars:
    key_path: /home/shertel/pub_key
  tasks:
    - name: Set authorized keys taken from local file
      ansible.posix.authorized_key:
        user: shertel
        state: present
        key: "{{ lookup('pipe', 'ssh-keygen -i -m RFC4716 -f ' + key_path) }}"  # lookups run on localhost
        validate_certs: false

Output:

TASK [Set authorized keys taken from local file] *************************************************************************************************************************************************************
changed: [h1] => {"changed": true, "comment": null, "exclusive": false, "follow": false, "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKp5WjU+MEOBSeyqcDW48u5cOeInmiA5bmSe99Nxo8QdBZ8AkyLreDQ37NXdacxziEEWknl+bcMwOGRDvQab8l8WGjn22vQsXMDprFPkh4eY6aEwHjdbAmpy0z0jRWyWV6MClUBrBoD1wHn3YdKYevRGPRaajwz8EcwHbad5rGM9TH46V71ZGFebHyv3+KZe966+6m9y+xv0RRVGpu3lCCJTosqIwQDixu1pwmJz4uyWhkBmviZ+ioW+d6L+VjzsbIxAsLp1a3qR2UbimUzgMMoMfDVir2B3nfTEqj0Zn7ut1Mj+URL9OaLf0oIR7H5JZ33Q0E3LdWB4cngbwF+Fof", "key_options": null, "keyfile": "/home/shertel/.ssh/authorized_keys", "manage_dir": true, "path": null, "state": "present", "user": "shertel", "validate_certs": false}

If you have the key contents from a URL and don’t have a file, you can still do this (*edited improve the example):

- hosts: localhost
  gather_facts: no
  vars:
    key_url: "https://raw.githubusercontent.com/gsg-git/awx_pub/main/awxtestpub"
    key_content: "{{ lookup('url', key_url, split_lines=false) }}"
    conversion_cmd: 'ssh-keygen -i -m RFC4716 -f /dev/stdin <<<"{{ key_content }}"'
    new_key_content: "{{ lookup('pipe', conversion_cmd) }}"
  tasks:
    - debug: msg="{{ new_key_content }}"

If you’re getting ‘invalid key’ error still, it suggests your key doesn’t look like ssh-rsa .... Here are the types the module knows how to parse: ansible.posix/plugins/modules/authorized_key.py at main · ansible-collections/ansible.posix · GitHub.

I converted via ssh-keygen in the shell without playbook.

If the error invalid key specified: ---- BEGIN SSH2 PUBLIC KEY ---- does not change at all after your conversion, it simply indicates that your playbook is not able to use the converted key file.

Therefore, it is important to know how you converted the file, where you placed the converted file, and how you are trying to read it from the playbook. Not stopping at simple explanations by some words, but presenting actual commands, the logs, the contents of actual YAML files, and your attempts as much as possible may help us a lot.

Thank you!!!
Thats it - the loaded file content needs to be fomated so AWX can read it!
I would never could have thought about this possibility!

You should close this: public key not accepted in playbook to add keys · Issue #14850 · ansible/awx · GitHub

Done!
Im exited to learn more!
Its like for every issue at least 5 questions pop up

I have a last question because i wanted to see where the Key gets stored at the hosts, because i couldnt see it in the allowed_keys and te search for a part of the pub key is still running.

I believe your key is added into /<homedir for the user>/.ssh/authorized_keys on the target nodes, e.g. /home/charlietteeiiiaaste/.ssh/authorized_keys.

Note that you have the pub key in RFC4716 format, but you’ve added it after converting into OpenSSH format, so I bet the added keys in authorized_keys have different appearance than your original file. Therefore, if you search on a part of the original public key string, you will not find it.

I cant ssh with the key to the host.
What i can imagine is that the playbook doesnt contain a assigned user so it doesnt know where to put the key(?), but in the job the remote user is root…
In the successfull job i looked up i couldnt find any issues ans its still running.
The only home is from the user and the authorized_keys is empty.
I try to run the playbook with some more hosts to see if there is an global issue.