Encrypt user private key file in command “ansible-playbook”

2
votes

I have a aws ec2 inventory file that I want yo deploy my codes to the e2 instances. I am using:

anible-playbook -i ec2_inventory -u ec2-user --private-key=my_ec2_key.pem

and it works.

What I want is to use ansible-vault to encrypt the private key file: my_ec2_key.pem, and I will keep the vault password in a text file.

How can I issue the ansible-playbook command now to use the vault password to decrypt the private key file for ec2-user?

1
ansible
I want to find if I can encrypt the private key file for user ec2-user first, then use it with ansible-playbook for ec2-user to access ec2 instances. I have some ansible-vault encrypted yml files under group_vars and I have the vault passwoprd inside file pass.txt. I can use --vault-password-file=pass.txt in the ansible-playbook command to decrypt those yml files. But it won't work for the private key file if I encrypt it and leave it under group_vars.Philip Shangguan
To use a decrypted private file with command ansible-playbook instead of using the plain text pem file.Philip Shangguan

1 Answers

2
votes

Unfortunately, ansible-vault will not automatically decrypt the private key that it's using to connect to instances. You could potentially hack around this by using a local task to write it into a keyfile from a variable file (which would write it decrypted) and place the file somewhere which is then referenced in downstream tasks. The reason ansible doesn't do this is because vault typically only decrypts the variables in-memory to prevent hanging decrypted artifacts if the playbook fails.

If you're using a CI box or something to run ansible, you could potentially place the private key on the CI box, and thus prevent the need to decrypt it at run-time. Then store the private key permanently encrypted in source.