git - Ansible SSH private key in source control? -
i have been developing ansible playbook couple of weeks, therefore, experience such technology relatively short. part of strategy includes using custom ansible_ssh_user
provisioning hosts throughout inventory, however, such user need own ssh key pair, involve sort of plan holding/storing correspondent private key. on production environment, playbook cloned/pulled , run inside playbook node role provision rest of infrastructure.
at first, thinking put private key inside playbook git repository, having second thoughts nonetheless, because of obvious security reasons , common sense around it, hence reason need consult matter.
with set on table, here follow-up questions:
- in ansible-based development environment, sane/reasonable hold private ssh key in source control?
- would practice advised only development environments whereas local git branch inside playbook node used hold actual production ssh private key?
- would better address case scenario via ansible vault instead?, have not ever used before, regardless of cannot yet tell whether proper case using it.
- in experience, approach around in production environment?, considered best practice in particular scenario?
it anti-pattern keep kind of plaintext secrets under revision control, ssh private keys included.
instead, surmised, use ansible-vault store private key. follows.
make variable key:
ssh_key: | -----begin rsa private key----- ... -----end rsa private key----- key_file: /home/user/.ssh/id_rsa
encrypt ansible-vault:
ansible-vault encrypt <your_var_file>
and install key:
- name: ensure .ssh directory exists. file: dest: "{{ key_file | dirname }}" mode: 0700 owner: user state: directory - name: install ssh key copy: content: "{{ ssh_key }}" dest: "{{ key_file }}" mode: 0600 owner: user
thanks allen luce , xiong chiamiov comments improved answer.
Comments
Post a Comment