In the Web UI, please add a way to provision SSH private key and Vault password
Hello,
In bamboo, for SSH and SCP tasks, you can configure the authentication type, and upload a private SSH key with passphrase. This is very useful, i believe, to keep this sensitive piece of information away from the codebase.
I believe it would be useful to add same mechanisms for Ansible tasks.
In the Ansible case, these sensitive informations should be available in the configuration GUI:
- Authentication type + upload SSH private key (as in SSH tasks)
- Vault password.
Comments (17)
-
repo owner -
reporter Hi, thanks for the nice answer !
Yes, i would like these secrets to be masked, that's an important point.
I believe the task configuration in bamboo is the right place where to put these secrets. I don't want this information to be present in the codebase because secrets are specific to a target environment and should not be shared elsewhere. Sadly, a deploy task can only clone a git shared to all bamboo jobs, and artifacts are shared to all bamboo jobs. I also prefer not to jump into more heavy tooling like Consul.
I thought about using the "other" field or a variable, even if these fileds are not masked. But i believe this would not not sufficient, as ansible will search for the private key and the vault password in files, not in environment variables or command line options. There is the option to define the vault-password-file as an executable returning for example the value of a variable, but it would be nice to have this handled by the task config in bamboo.
-
repo owner Hi Fabrice,
I will tell you how this can be handled at least until a next plugin release maybe is usefull:
- install bamboo agents in same folder on each machine: /home/bamboo-agent01 (I use ansible to do it).
- add one file on all agents ~/ansible-vault-pass and in all .ssh folder put keys.
- use in Other field: --vault-password-file ~/ansible-vault-pass
- in inventory of Ansible place:
10.X.X.X ansible_ssh_private_key_file=~/.ssh/testxxxxx.pem ansible_ssh_user=ec2-user
If you predeploy the keys you can also have a more simple bastion host configuration:
Host 10.X.X.* ProxyCommand ssh -q -A ec2-user@52.X.X.X -W %h:%p ServerAliveInterval 60 TCPKeepAlive yes StrictHostKeyChecking no UserKnownHostsFile=/dev/null ConnectTimeout 10000
Host 52.X.X.X StrictHostKeyChecking no UserKnownHostsFile=/dev/null ConnectTimeout 10000 User ec2-user IdentityFile ~/.ssh/xxxxxprod.pem
Julius
-
reporter My concern about this solution is that the secrets are not contained into the build/deploy project, but accessible to all bamboo projects. And it's exactly what situation I try to escape from.
-
repo owner True. We will sort it out no worries :)
I propose then to put 1 field ansible vault password for SSH lets try something like:
- I can dump it in a file if you like and you need to reference it from the inventory.
- I can add 2 fields: key & filename, will dump them in the bamboo_working_directory but will be your responsibility to load it from inventory file.
Julius
-
repo owner Released, check it out.
-
repo owner - changed status to resolved
-
repo owner - changed status to closed
-
reporter thank you ! i will have a look today.
-
repo owner În order to keep your system secure I have removed the files after task execution.
-
reporter NB: It would be nice to have the content of the SSH key masked as the ansible vault password.
-
repo owner This is causing an issue with Atlassian AUI, password fields cannot be multiline. I can try to hide it differently or when opening the task never load the previous value from DB, leave it empty
-
reporter Maybe have the same presentation as in the SSH task ? Instead of a text input there is a file to upload. It makes quite logical that the file content is not displayed.
-
repo owner I can try to do it with file upload, need to check bamboo code to see how they did, I dont have same capabilities as the core components, some internals cannot be accessed from plugins.
Julius
-
reporter Fair enough ! I am not a java coder, I don't know either how they did achieve that.
-
Hi Iulius! Great thanks for creating this add-on! It is very helpful.
+1 for making the private key field a file upload button just like in SSH Task.
-
repo owner Thank you ! With so many plus'es what can I do I gotta implement something !
J
- Log in to comment
Hi Fabrice,
add these params to the field Other, I placed it exactly for that or you would like those fields to be masked ?
Julius