reading through vault docs, appears that it’s designed to store variable contents. maybe this should be obvious to me but it isn’t - so maybe someone can point me in the right direction. recommendation for the best way to store a file in vault?
my particular use case is an SSH private key file (password-less, used to enable jumping between servers in a cluster). normally i’d stick this in the files folder and use the copy module to push it.
-Jeremy
Jeremy,
I’d have suggested using SSH agent forwarding. If it worked. This is a classic example of where it should be used.
Bryan
we do use agent port forwarding for administrators. however there is a separate requirement for each cluster to have it’s own passwordless private key that is used for some other tasks within the cluster.
-J
Yes it is for variable files of all sorts and can also be used on task files or handlers – anything YAML or JSON
– Michael
my particular use case is an SSH private key file (password-less, used to
enable jumping between servers in a cluster). normally i'd stick this in
the files folder and use the copy module to push it.
A bit convoluted maybe, but base64-encode the file, and add it to a YAML
vars file which is then put into ansible-vault?
$ echo "myfile: $(openssl enc -a -A -in filename)" > vars.yml
myfile: aGVsbG8Kd29ybGQKaGVsbG8Kd29ybGQKaGVsbG8Kd29ybGQKaGVsbG8Kd29ybGQKaGVsbG8Kd29ybGQK
-JP
i believe that openssh private key files are already text encoded; it looks this way on my servers. this approach had occurred to me also - but can I write a simple, elegant task to get this variable into the file on the hosts? that’s the part that wasn’t obvious to me.
i believe that openssh private key files are already text encoded; it looks
this way on my servers. this approach had occurred to me also - but can I
write a simple, elegant task to get this variable into the file on the
hosts? that's the part that wasn't obvious to me.
They are text-encoded, but not as a single line, which my version does;
it looks better to me in a vars file, though you may be able to
shoehorn multiline strings into YAML. 
As for extraction, maybe the following could work (untested!) It
decodes the base64-encoded string (-d) and writes it to the specified
destination.
- action: shell echo "{{ myfile }}" | openssl enc -d -a -out {{ destfile }}
-JP
why not encrypt the file itself? ansible-vault shoudl be able to handle it.
why not encrypt the file itself? ansible-vault should be able to handle it.
I thought ansible-vault could only encrypt yaml and json files?
It can encrypt more but ansible (not the vault CLI) itself will only decrypt data files.
It’s not really meant for arbitrary files.
– Michael
Is there a reason why the file modules shouldn’t be modified to decrypt data with the vault password?
Jeremy, I don’t see an elegant way to do what you want right now. I’ve resorted to importing a key file as an encrypted configuration variable and then using the ‘echo’ command to write it out until there is a better way.
I’m not against teaching the copy/template module to support encrypted sources.
VaultLib is pretty abstract at this point so this would be an easy addition.
–Michael
I’d like to take this back, ssh agent forwarding does work. I have discovered that it only fails when used by the git module. Running commands which use ssh from Ansible does work.