ansible-runner icon indicating copy to clipboard operation
ansible-runner copied to clipboard
verified publisher icon ansible

Option to avoid writing ssh_key to the env folder

Open AlanCoding opened this issue 4 years ago • 1 comments

I want to use ansible-runner to run a playbook, which will involve using a valid private key to access the target inventory. Due to obvious security reasons, I want to avoid creating a copy of my private key. Consider:

import os

import ansible_runner


with open(os.path.expanduser('~/.ssh/id_rsa'), 'r') as f:
    key_data = f.read()

if os.path.exists('demo/env/ssh_key'):
    os.remove('demo/env/ssh_key')

ansible_runner.interface.run(private_data_dir='demo', playbook='test.yml', ssh_key=key_data)

This will write my private key to demo/env/ssh_key. The other means of specifying the key is to write it to that file before running, which also misses the point. Writing it to disk is undesirable. I would like the private_data_dir to not contain sensitive data at the end of the run.

AWX manages to dodge this problem by importing the open_fifo_write util directly. It would be preferable to have a documented way to do this which would then be adopted by AWX.

AlanCoding avatar Nov 18 '21 01:11 AlanCoding

In addition it seems to block (indirectly) by Crowdstrike due to recent deployment of Log4shell security update see https://stackoverflow.com/questions/70320452/awx-all-jobs-stop-processing-and-hang-indefinitely-why

I think (I never heard about that project before) quite same situation (I give link because explaination is much clearer on that link) as https://www.ibm.com/support/pages/datastage-jobs-hang-after-site-deploys-crowdstrike-falcon-sensor-update-script-based-execution-monitoring

kakawait avatar Dec 20 '21 14:12 kakawait