In a playbook , I gathered the user key into the variable “user_key” and using a add_host module to login to the server and execute the required tasks .
name: Writing the key to a file
ansible.builtin.copy:
content: “{{ user_key }}”
dest: /tmp/new_inst.pem
mode: ‘0600’
follow: yes
register: keyfile
name: validate the httpd in new hosts
hosts: mygroup
gather_facts: true
become: yes
environment:
ANSIBLE_HOST_KEY_CHECKING: “False”
tasks:
name: Start service httpd, if not started
service:
name: httpd
state: started
All works fine using the above.
However is there an option to read the content of the key directly , read the contents of the keyfile to the add_host module with something like “ansible_ssh_private_key” ??
I want to avoid writing the key to a file, chmod 600 and then remove it after execution.
Also , is there a way to read the variable “user_key” when manually feed during the ansible-playbook command , like for the same above codes usage .
Unfortunately, ansible_ssh_private_key_file requires a file and I don’t see a proper way to assemble a file from a string in an inline manner. You could probably do some jinja magic to that end, though it won’t be very elegant.
I’ll try to wrap my head about it a bit more and come back to you if I find something.
As for your second question, are you trying to read ssh_content from a file or stdin ? Here is an example for both scenarios using lookup plugin :
19:02|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ cat ~/TEMP/truc
truc
19:02|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ ansible -c local localhost -m debug -a ‘var=foo’ -e foo=“{{ lookup(‘file’, ‘~/TEMP/truc’) }}”
localhost | SUCCESS => {
“foo”: “truc”
}
19:03|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ echo “truc” | ansible -c local localhost -m debug -a ‘var=foo’ -e foo=“{{ lookup(‘file’, ‘/dev/stdin’) }}”
localhost | SUCCESS => {
“foo”: “truc”
}
In a playbook , I gathered the user key into the variable "user_key" and using a add_host module to login to the server and execute the required tasks .
- name: Writing the key to a file
ansible.builtin.copy:
content: "{{ user_key }}"
dest: /tmp/new_inst.pem
mode: '0600'
follow: yes
register: keyfile
- name: validate the httpd in new hosts
hosts: mygroup
gather_facts: true
become: yes
environment:
ANSIBLE_HOST_KEY_CHECKING: "False"
tasks:
- name: Start service httpd, if not started
service:
name: httpd
state: started
All works fine using the above.
However is there an option to read the content of the key directly , read the contents of the keyfile to the add_host module with something like "ansible_ssh_private_key" ??
I want to avoid writing the key to a file, chmod 600 and then remove it after execution.
Also, I think if you write the key to the filesystem, and then later
remove it, it is not really gone, but merely unlinked.
So that is an extra reason to careful to handle the user's private key
data that way.
Also , is there a way to read the variable "user_key" when manually feed during the ansible-playbook command , like for the same above codes usage .
# ansible-playbook playbook -e "user_key={{ssh_content}}"
where ssh_content is a python variable which have the exact key_value details from another program output .
Are you sure you want to use sensitive materials like that? I think
this will leak the content into the shell history, process output etc.
You cannot use a string for an ssh key, it is a file as ansible must
pass a file to `ssh` command line client (which does not accept a
string).
If you only have a string, you have to write the string to a file
before the connection starts and remove it once it ends. doing this
securely is not trivial and the reason the ssh connection plugin does
not attempt to do so.
Thanks for the valuable inputs and directions .
I was looking for a new approach which I was failing and you all confirmed the best and secure way is to have the key as a file with appropriate permissions . I will be proceeding with the same setup which I already have …