reading the key file contents

In a playbook , I gathered the user key into the variable “user_key” and using a add_host module to login to the server and execute the required tasks .

  • name: Writing the key to a file
    ansible.builtin.copy:
    content: “{{ user_key }}”
    dest: /tmp/new_inst.pem
    mode: ‘0600’
    follow: yes
    register: keyfile

  • name: create a temp inventory
    ansible.builtin.add_host:
    hostname: ‘{{ servera }}’
    groups: mygroup
    ansible_ssh_private_key_file: “{{ keyfile.dest }}”
    ansible_ssh_user: “root”
    ansible_ssh_extra_args: ‘-o StrictHostKeyChecking=no’

  • name: validate the httpd in new hosts
    hosts: mygroup
    gather_facts: true
    become: yes
    environment:
    ANSIBLE_HOST_KEY_CHECKING: “False”
    tasks:

  • name: Start service httpd, if not started
    service:
    name: httpd
    state: started

All works fine using the above.
However is there an option to read the content of the key directly , read the contents of the keyfile to the add_host module with something like “ansible_ssh_private_key” ??

I want to avoid writing the key to a file, chmod 600 and then remove it after execution.

Also , is there a way to read the variable “user_key” when manually feed during the ansible-playbook command , like for the same above codes usage .

ansible-playbook playbook -e “user_key={{ssh_content}}”

where ssh_content is a python variable which have the exact key_value details from another program output .

Hi,

Unfortunately, ansible_ssh_private_key_file requires a file and I don’t see a proper way to assemble a file from a string in an inline manner. You could probably do some jinja magic to that end, though it won’t be very elegant.
I’ll try to wrap my head about it a bit more and come back to you if I find something.

As for your second question, are you trying to read ssh_content from a file or stdin ? Here is an example for both scenarios using lookup plugin :
19:02|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ cat ~/TEMP/truc
truc
19:02|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ ansible -c local localhost -m debug -a ‘var=foo’ -e foo=“{{ lookup(‘file’, ‘~/TEMP/truc’) }}”
localhost | SUCCESS => {
“foo”: “truc”
}
19:03|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ echo “truc” | ansible -c local localhost -m debug -a ‘var=foo’ -e foo=“{{ lookup(‘file’, ‘/dev/stdin’) }}”
localhost | SUCCESS => {
“foo”: “truc”
}

Where does this "user_key" originate from?

In a playbook , I gathered the user key into the variable "user_key" and using a add_host module to login to the server and execute the required tasks .

- name: Writing the key to a file
      ansible.builtin.copy:
        content: "{{ user_key }}"
        dest: /tmp/new_inst.pem
        mode: '0600'
        follow: yes
      register: keyfile

    - name: create a temp inventory
      ansible.builtin.add_host:
        hostname: '{{ servera }}'
        groups: mygroup
        ansible_ssh_private_key_file: "{{ keyfile.dest }}"
        ansible_ssh_user: "root"

Are you sure this is necessary? What about an unpriviliged user + sudo?

        ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'

- name: validate the httpd in new hosts
  hosts: mygroup
  gather_facts: true
  become: yes
  environment:
    ANSIBLE_HOST_KEY_CHECKING: "False"
  tasks:
    - name: Start service httpd, if not started
      service:
        name: httpd
       state: started

All works fine using the above.
However is there an option to read the content of the key directly , read the contents of the keyfile to the add_host module with something like "ansible_ssh_private_key" ??
I want to avoid writing the key to a file, chmod 600 and then remove it after execution.

Also, I think if you write the key to the filesystem, and then later
remove it, it is not really gone, but merely unlinked.
So that is an extra reason to careful to handle the user's private key
data that way.

Also , is there a way to read the variable "user_key" when manually feed during the ansible-playbook command , like for the same above codes usage .

# ansible-playbook playbook -e "user_key={{ssh_content}}"
where ssh_content is a python variable which have the exact key_value details from another program output .

Are you sure you want to use sensitive materials like that? I think
this will leak the content into the shell history, process output etc.

You cannot use a string for an ssh key, it is a file as ansible must
pass a file to `ssh` command line client (which does not accept a
string).
If you only have a string, you have to write the string to a file
before the connection starts and remove it once it ends. doing this
securely is not trivial and the reason the ssh connection plugin does
not attempt to do so.

Hi all,

Thanks for the valuable inputs and directions .
I was looking for a new approach which I was failing and you all confirmed the best and secure way is to have the key as a file with appropriate permissions . I will be proceeding with the same setup which I already have …