Issue with creating .ssh directory to pass ssh key

Get Help
,
1

Hy i am using ansible with AWX on a K3S cluster and i have some issues, when creating the .ssh directory. Gives me evrythime the error that access is denied or that it cant write to it.

i have tried with privilege access but that does not seems to work either.
What i want to become is that an ssh key that is present in the awx that this is passed to the execution node, so i can backup my swithc config using git.

this should be posible i have seen this here , but i seem to miss somthing …

I have create the custom ssh credential type and linked it to the playbook with the switch credentials

image
image1409×491 21.4 KB

does anyone have some ideas ?

- name: Create .ssh folder
  become: true
  run_once: true
  delegate_to: localhost
  ansible.builtin.file:
    path: /root/.ssh
    state: directory
    mode: '0777'
  register: create_result

- name: create the ssh key file based on the supplied cred
  become: true
  run_once: true
  delegate_to: localhost
  ansible.builtin.copy:
    dest: ~/.ssh/id_rsa
    content: "{{ cert_key }}"
    mode: '0600'

{
  "module_stdout": "",
  "module_stderr": "Traceback (most recent call last):\n  File \"/runner/.ansible/tmp/ansible-tmp-1724254291.0380187-30-217917007745715/AnsiballZ_file.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/runner/.ansible/tmp/ansible-tmp-1724254291.0380187-30-217917007745715/AnsiballZ_file.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/runner/.ansible/tmp/ansible-tmp-1724254291.0380187-30-217917007745715/AnsiballZ_file.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible.modules.file', init_globals=dict(_module_fqn='ansible.modules.file', _modlib_path=modlib_path),\n  File \"/usr/lib64/python3.9/runpy.py\", line 225, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.9/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.9/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/modules/file.py\", line 987, in <module>\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/modules/file.py\", line 973, in main\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/modules/file.py\", line 680, in ensure_directory\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\", line 1181, in set_fs_attributes_if_different\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\", line 941, in set_mode_if_different\nPermissionError: [Errno 1] Operation not permitted: b'/root/.ssh'\n",
  "exception": "Traceback (most recent call last):\n  File \"/runner/.ansible/tmp/ansible-tmp-1724254291.0380187-30-217917007745715/AnsiballZ_file.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/runner/.ansible/tmp/ansible-tmp-1724254291.0380187-30-217917007745715/AnsiballZ_file.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/runner/.ansible/tmp/ansible-tmp-1724254291.0380187-30-217917007745715/AnsiballZ_file.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible.modules.file', init_globals=dict(_module_fqn='ansible.modules.file', _modlib_path=modlib_path),\n  File \"/usr/lib64/python3.9/runpy.py\", line 225, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.9/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.9/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/modules/file.py\", line 987, in <module>\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/modules/file.py\", line 973, in main\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/modules/file.py\", line 680, in ensure_directory\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\", line 1181, in set_fs_attributes_if_different\n  File \"/tmp/ansible_ansible.builtin.file_payload_8vcma2lk/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\", line 941, in set_mode_if_different\nPermissionError: [Errno 1] Operation not permitted: b'/root/.ssh'\n",
  "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
  "rc": 1,
  "_ansible_no_log": false,
  "changed": false,
  "_ansible_delegated_vars": {
    "ansible_host": "localhost",
    "ansible_port": null,
    "ansible_user": "root",
    "ansible_connection": "local"
  }
}
2

Have you tried to perform the task manually? Does that work?
Since you’re getting [Errno 1] Operation not permitted: b'/root/.ssh'\n" it could mean the user isn’t a sudo user.

3

Hello Konstruktoid,

i am executing these commands on the local execution environment if i test these commands on a linux box the folder is created with no problem but this needs to run inside the execution enviroment as you can read here Ansible Config As Code With Network Backups To Git And Point-In-Time Rollback | Greg Sowell Saves The World

image , i will test something out if i can do this on the jump host and execute the code from here.

4

Instead of trying to usee those two tasks your playbook. You would be better served by creating a custom credential with a “file” attribute in the injector. See
11. Custom Credential Types — Ansible AWX community documentation. Then you can lookup/use the ssh key as needed for the playbook.

5

Hy binbashroot,

could you give me an example than can i take a look how this would work …

6

So in AAP/AWX you’ll create a custom credential with fields/injectors as such:

# INPUT CONFIGURATION
fields:
  - id: username
    type: string
  - id: my_ssh_key
    type: string
    format: ssh_private_key
    secret: true
    multiline: true
required:
  - my_ssh_key

#INJECTOR CONFIGURATION
extra_vars:
  my_ssh_key_file: '{{ tower.filename }}'
file:
   template: '{{ my_ssh_key  }}'

Then for your task you can call the key file as such

#EXAMPLE TASK

-  name:  Do git clone
   ansible.builtin.git:
     repo: 'https://foo.example.org/path/to/repo.git'
     dest: /my/dest/path
     key_file: "{{ my_ssh_key_file  }}"

You no longer need your two tasks for creating the folder and copying the key.

1 Like