Ansible and vault encrypted templates

Question

I have a problem with Ansible Vault.

Vault on file copy commands works perfect, but I can´t find any solution to get encrypted templates to work.

My goal is to deploy an SSH key to authorized_keys with some comments on top, with {{ ansible_managed }} on top, but Ansible just creates the file encrypted on target host.

My task:

- name: Copy public RSA key
  template: src=id_rsa.pub.j2 dest=/root/.ssh/authorized_keys owner=root mode=600

Result on target server:

$ANSIBLE_VAULT;1.1;AES256
66393735343333616637383238643132646134343235633662663262353530663133386439356334
6437633863333434393333336336396239636531306262640a623764303165333035633333643631
6631613234346133386261343162653931643865633139[...]

Has anyone tried the same and got it up and running?

Vault is meant to encrypt _variables_; it doesn't support encrypting templates. I can't imagine any good reason to do so either. That's not where your secrets should be. — Michael Hampton, Nov 01 '16 at 22:01
Vault is also used to encrypt complete files. see: [link](http://docs.ansible.com/ansible/playbooks_vault.html#what-can-be-encrypted-with-vault) — DJSnoopy, Nov 01 '16 at 22:19
What exactly are you trying to achieve? Template is a template; a frame to be filled with data. You can store the secrets in encrypted variable-files and use them to populate the templates. I can't see a use case for encrypted templates. — techraf, Nov 01 '16 at 22:40
I´m trying to deploy a authorized_keys file on my target hosts with comments above. so i try to write the authorized_keys file with template vars on top followed by the encrypted rsa key(s) — DJSnoopy, Nov 02 '16 at 09:07

score 4 · Accepted Answer · answered Nov 04 '16 at 00:27

4

Authorized keys are SSH public keys, so you don't need to store them in the vault.

That being said, it sounds like your id_rsa.pub.j2 is incorrect. Here's an example task I have for copying an ssh private key onto a machine:

- name: install ssh key
  copy:
    content: "{{ssh_key}}"
    dest: ~/.ssh/example.pem
    owner: "{{ansible_user_id}}"
    mode: u=r,g=,o=

ssh_key is then defined in group_vars/all/vars.yaml:

ssh_key: "{{vault_ssh_key}}"

and group_vars/all/vault.yaml is the encrypted vault file that defines vault_ssh_key. This method allows someone looking at a task or template to grep for the variable name and find a definition that points towards the vault.

answered Nov 04 '16 at 00:27

Xiong Chiamiov

2,954
2
27
30

Seems legit. Missed the public part *head table*. So template parsing seems only to work in template tasks or on variables, not in copy tasks (content bind by src=xxx) itself. Thank you all. – DJSnoopy Nov 04 '16 at 09:15
authorized_keys are public, however with access to your repo a unprivileged user could swap his public key for yours, or just add it to your user, and then impersonate you. – bbaassssiiee Feb 27 '17 at 20:04
@bbaassssiiee That attacker would need write access to your repo, and you've have to miss the commit that brings in the change (and then run the playbook). I'd argue that at this point you're already screwed. – Xiong Chiamiov Mar 10 '17 at 19:03

Ansible and vault encrypted templates

1 Answers1