we have ansible server setup our ansible code stored in git repos. servers configured ansible use ssh key our control server access. i'd include key in ansible git repos instead (encrypted in vault). i'd as:
1) if our ansible server ever got compromised/had unrecoverable hard drive failure/some other failure, wouldn't have generate new ssh key , copy each ansible server before run ansible tasks again
2) feels should in repos, it's part of setup/config access servers
3) have other data stored in vault , having enter 1 password vault, , ssh passphrase pain
we looked @ coding custom task creating temporary file on disk, kind of feels should built in. way built in decryption holds files in ram. other issue couldn't find method guaranteed run in case of failure, , clean temporary file created (kind of ensure block in programming)
is there safe way use vaulted ssh key? or failing way ask ssh passphrase upfront?
ideally, each user should have own private key use control server access deployment account. way can revoke someone's access easier if leave or no longer need access run against servers. allows control servers run against.
to avoid being prompted ssh password every time use ssh-agent caches credentials in memory , avoids prompt. use startup script in setup , works well.
it's not security practice commit credentials source code repository (although i've done too). backing user's home directories on ansible server protects private keys hard drive failure.
Comments
Post a Comment