git - Ansible SSH private key in source control? -


i have been developing ansible playbook couple of weeks, therefore, experience such technology relatively short. part of strategy includes using custom ansible_ssh_user provisioning hosts throughout inventory, however, such user need own ssh key pair, involve sort of plan holding/storing correspondent private key. on production environment, playbook cloned/pulled , run inside playbook node role provision rest of infrastructure.

at first, thinking put private key inside playbook git repository, having second thoughts nonetheless, because of obvious security reasons , common sense around it, hence reason need consult matter.

with set on table, here follow-up questions:

  • in ansible-based development environment, sane/reasonable hold private ssh key in source control?
  • would practice advised only development environments whereas local git branch inside playbook node used hold actual production ssh private key?
  • would better address case scenario via ansible vault instead?, have not ever used before, regardless of cannot yet tell whether proper case using it.
  • in experience, approach around in production environment?, considered best practice in particular scenario?

it anti-pattern keep kind of plaintext secrets under revision control, ssh private keys included.

instead, surmised, use ansible-vault store private key. follows.

make variable key:

ssh_key: |   -----begin rsa private key-----   ...   -----end rsa private key----- key_file: /home/user/.ssh/id_rsa 

encrypt ansible-vault:

ansible-vault encrypt <your_var_file> 

and install key:

- name: ensure .ssh directory exists.   file:      dest: "{{ key_file | dirname }}"     mode: 0700      owner: user      state: directory  - name: install ssh key   copy:      content: "{{ ssh_key }}"      dest: "{{ key_file }}"     mode: 0600     owner: user 

thanks allen luce , xiong chiamiov comments improved answer.


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -