I’m trying to store ssh private keys in variables in a vault-protected file, and I’m having problems. The issue is with the variables spanning many lines, when they are injected during the playbook run, on the destination server they end up in a mangled format or the playbook crashes out. So for example, in my vars file (this is a key I just generated and deleted to demo it here):
I’ve tried adding \n on the end of each line in my key, I’ve also tried all on one line with \n separators.
I’m getting this error:
fatal: [127.0.0.1] => A variable inserted a new parameter into the module args. Be sure to quote variables if they contain equal signs (for example: “{{var}}”).
Any pointers would be cheerfully accepted. I’m interested to hear how others have tackled this issue.
Yep, this is likely going merged and quite good stuff, but others should be aware lookup plugins evaluate every time the template strings are rendered.
You could, depending on usage, make the system do a LOT of math if you aren’t careful.
I think we do something similar with SSL certificates.
First, we use the multi-line YAML notation ni the vars file:
ssl_private_key: |
-----BEGIN RSA PRIVATE KEY-----
ETC…
Note the spacing in front of the lines, that’s required.
In case you don’t need the actual newlines on the other end, you can also use “>” instead of “|”
And then we have a template “templates/ssl_private_key.j2” with just the variable as content:
{{ ssl_private_key }}
Thanks, I guess this is what I am looking for and I’ll wait for this patch to be merged.
It resolves another thing I was surprised about, if I encrypt whole files with ansible-vault, during the playbook run with --ask-vault-pass the files are still not parsable because they are still encrypted. I suppose this is by design but doesn’t do what I wanted or expected.
Michael I will go with your suggestion for now and use something external to protect the private keys. I did find the authorized keys module but the docs only mention use cases for public keys so I didn’t explore it any further.
" during the playbook run with --ask-vault-pass the files are still not parsable because they are still encrypted"
Ansible-vault only applies to ansible variable files, task files, and handlers. Basically anything Ansible would understand to be natively-understood YAML files.
I do something similar to this to store sensitive files in vault. I base64 encode the data and set the variable with the resulting encoded string. Then in my template I use the b64decode filter when applying the variable.