Hi everyone
I was having a problem earlier today in a playbook using vault crypted files.
I managed to refactor it to make it work but anyway I wanted to know your feedback in case this is my misunderstanding on how these features work or maybe there is some bug
So, I was trying to create a playbook that connects to all ec2 instances and adds some public keys to the ubuntu generic user.
I started with a playbook looking like this:
tasks:
- name: Add authorized keys for super users
authorized_key: user=ubuntu
key=“{{ item }}”
with_file:
- public_keys/user1
- public_keys/user2
Then I ran ansible-vault encrypt public_keys/* and when I re-run ansible-playbook providing the vault password the files were not being decrypted at runtime, so a key starting $ANSIBLE_VAULT; was trying to get added to the boxes and obviously the task was giving an error “msg: invalid key specified:”
I started refactoring the task using something like:
a file called defaults/public_keys.yml with this content:
user1: publickey_foruser1_inlongstring
user2: publickey_foruser2_inlongstring
and refactored my playbook with:
tasks:
-
include_vars: defaults/public_keys.yml
-
name: Add authorized keys for super users
authorized_key: user=ubuntu
key=“{{ item }}”
with_items: -
“{{ user1 }}”
-
“{{ user2 }}”
Then I run ansible-vault encrypt to the new public_keys.yml file and now it works flawlessly
I assume this is related to the way vault decrypt is executed at runtime and not sure if this would be the expected behaviour or maybe the authorized_key task needs some internal refactor to allocate this case where the supplied files may be crypted.
I would really appreciate any comments on this, even if I managed to work around it
Best