Hello
I created an EC2 inventory script. For each discovered instance, I can retrieve the ssh host key from the instance console.
The way it is working now is:
Is there a prettier way to do it ?
Is there any reason you’re not using the EC2 inventory script we ship along with ansible?
Yeah, we don’t technically ship it, but it’s included in the repo.
https://github.com/ansible/ansible/blob/devel/plugins/inventory/ec2.py
The main reason is that I create my own hierarchy of groups using instance tags.
Beside that, the EC2 inventory script included in the repo does nothing to solve the ssh host keys problem.
Have you seen the ec2_facts module?
https://github.com/ansible/ansible/blob/devel/library/cloud/ec2_facts ?
I did and AFAIU, this is supposed to run on the remote EC2 instances, isn’t it ?
So, if I am correct, how am I supposed to use it as it needs the ssh host key beforehand to run securely and the ssh host key is supposed to be obtained by running it ?
I may have been unclear. My question is not about gathering ssh host keys securely from an EC2 we never contacted yet. On this point, I think grabbing it from the instance console is the least bad way to do it. If any of you have better ideas, I’d be happy to start a new thread about it.
My question is how to manage those keys once I gathered them.
Define “manage” ?
These ssh host keys cannot be put in the inventory (there is no ansible_ssh_host_key inventory variable). The way I did it is that my inventory script has side effects. It creates a my_knwon_hosts file, pointed to by a my_ssh_config file, pointed to by an ssh_args entry in ansible.cfg.
However I find this is a bit hackish, and I’m looking for better ideas.
what about ansible_ssh_private_key_file?
Private key file used by ssh. Useful if using multiple keys and you don’t want to use SSH agent.
“there is no ansible_ssh_host_key inventory variable”
It’s actually called “ansible_ssh_private_key_file”
No, this is the one used by the client to authenticate itself to the server. I’m speaking about the host public key (as opposed to the user key), used by the client to authenticate the server.
This relates directly to Lorin’s module proposal: https://github.com/ansible/ansible/pull/3787
The thing is, getting the host key from the console output is not accurate. A module for this might still be a good idea, or else some best practices around hoovering up host keys from transient hosts.
Sorry, clarification probably needed there, by “not accurate” I mean that it only works providing you have your image configured to print the host key to the console. Many people will likely find that such a module wouldn’t work for them and lots of head scratching would ensue 
Quite interesting, thanks for the link. However, I think this information relates more to the inventory part (list of machines and how to connect to them) than on the fact harvesting part (what is the state of the system) and on the system configuration part (how the system should be like)
Trust bootstrapping is a very hard problem and, regarding AWS, I think Amazon did half the job. AFAIK, the only trusted out of band channel is the instance console. Parsing it to look for an ssh host key is far from convenient (and old images echoed only the fingerprint and people checked it was correct using ssh-keyscan, which is completely dumb when you could have echoed the complete key). However I don’t know a better way to do it.