Security question about a custom (in python) for accessing the gitlab API

I am pretty new to Ansible and this group, so just a quick “Hello” to everyone!
For my 1st questions I already got quick answers using IRC, but now I think a mail would be better.

The problem I have is the following: during the setup of virtual hosts I generate new users, with SSH key-pairs, and I checkout git repositories from our gitlab server.

For the git checkout we use deploy only keys. So I need to add the generated public SSH key from the special virtual host user to the project in gitlab.
I just wrote a little python script - as a proof of concept - to add a public SSH key to a project, so no bid deal at all.

But I have to specify either some credentials or a token for an administrative gitlab user, and I am stuck how to do this.

I came up with two strategies:

  1. Copy the python script, that installs the key in the project to the server, and pass the “secret” token using an environment variable to the script.
  2. Copy the public SSH key to the system, that excutes the playbook, and run the python script.

What I don’t like about the 1st approach is, that I have to install a python library (“pyapi-gitlab”), which isn’t really needed on the target server. Also I am not sure if my ideas are good practice.

So, do You have any suggestions (or pointers to best practices) what I should do?

Thanks in advance!

Regards,
Boris

you can use vars_prompt or a store the credentials in a vault and then
pass those as arguments to the script.

I will have a closer look at this “vault” stuff.
Thank You for the input!

Regards,
Boris