Some doubts / problems about ansible-playbook with ansible-vault crypted files

Hi everyone

I was having a problem earlier today in a playbook using vault crypted files.
I managed to refactor it to make it work but anyway I wanted to know your feedback in case this is my misunderstanding on how these features work or maybe there is some bug

So, I was trying to create a playbook that connects to all ec2 instances and adds some public keys to the ubuntu generic user.

I started with a playbook looking like this:

tasks:

  • name: Add authorized keys for super users

authorized_key: user=ubuntu
key=“{{ item }}”
with_file:

  • public_keys/user1
  • public_keys/user2

Then I ran ansible-vault encrypt public_keys/* and when I re-run ansible-playbook providing the vault password the files were not being decrypted at runtime, so a key starting $ANSIBLE_VAULT; was trying to get added to the boxes and obviously the task was giving an error “msg: invalid key specified:”

I started refactoring the task using something like:

a file called defaults/public_keys.yml with this content:

user1: publickey_foruser1_inlongstring
user2: publickey_foruser2_inlongstring

and refactored my playbook with:

tasks:

  • include_vars: defaults/public_keys.yml

  • name: Add authorized keys for super users
    authorized_key: user=ubuntu
    key=“{{ item }}”
    with_items:

  • “{{ user1 }}”

  • “{{ user2 }}”

Then I run ansible-vault encrypt to the new public_keys.yml file and now it works flawlessly

I assume this is related to the way vault decrypt is executed at runtime and not sure if this would be the expected behaviour or maybe the authorized_key task needs some internal refactor to allocate this case where the supplied files may be crypted.

I would really appreciate any comments on this, even if I managed to work around it

Best

Why are we encrypting public keys?

ansible-vault only works for structured data files (yaml, json). Also, out of curiosity, why bother encrypting public keys?

  • James

Well, maybe I am doing something terribly stupid… these files will be stored in bitbucket / github as part of the ansible infrastructure repo so if someone got access to them they could use them to get access to our EC2 instances, right?

Definitely not as terrible as a database password but still concerning security-wise unless I am missing something

And anyway, it was just an experiment, if vault only works for structured data files this is the explanation I was looking for, Cheers James

Ricard,

You’re mixing up public keys and private keys.

  • James

You are totally right, even if they stole the public keys, without the private key nothing can be done so I was effectively doing something quite stupid :slight_smile:

Best