In the Web UI, please add a way to provision SSH private key and Vault password

Issue #2 closed

Fabrice Flore-Thébault created an issue 2016-08-31

Hello,

In bamboo, for SSH and SCP tasks, you can configure the authentication type, and upload a private SSH key with passphrase. This is very useful, i believe, to keep this sensitive piece of information away from the codebase.

I believe it would be useful to add same mechanisms for Ansible tasks.

In the Ansible case, these sensitive informations should be available in the configuration GUI:

Authentication type + upload SSH private key (as in SSH tasks)
Vault password.

Comments (17)

Hutuleac Iulius repo owner
Hi Fabrice,

add these params to the field Other, I placed it exactly for that or you would like those fields to be masked ?

Julius
- 2016-08-31T07:15:59+00:00
Fabrice Flore-Thébault reporter
Hi, thanks for the nice answer !

Yes, i would like these secrets to be masked, that's an important point.

I believe the task configuration in bamboo is the right place where to put these secrets. I don't want this information to be present in the codebase because secrets are specific to a target environment and should not be shared elsewhere. Sadly, a deploy task can only clone a git shared to all bamboo jobs, and artifacts are shared to all bamboo jobs. I also prefer not to jump into more heavy tooling like Consul.

I thought about using the "other" field or a variable, even if these fileds are not masked. But i believe this would not not sufficient, as ansible will search for the private key and the vault password in files, not in environment variables or command line options. There is the option to define the vault-password-file as an executable returning for example the value of a variable, but it would be nice to have this handled by the task config in bamboo.
- 2016-08-31T07:42:10+00:00
Hutuleac Iulius repo owner
Hi Fabrice,

I will tell you how this can be handled at least until a next plugin release maybe is usefull:
- install bamboo agents in same folder on each machine: /home/bamboo-agent01 (I use ansible to do it).
- add one file on all agents ~/ansible-vault-pass and in all .ssh folder put keys.
- use in Other field: --vault-password-file ~/ansible-vault-pass
- in inventory of Ansible place:
10.X.X.X ansible_ssh_private_key_file=~/.ssh/testxxxxx.pem ansible_ssh_user=ec2-user

If you predeploy the keys you can also have a more simple bastion host configuration:

Host 10.X.X.* ProxyCommand ssh -q -A ec2-user@52.X.X.X -W %h:%p ServerAliveInterval 60 TCPKeepAlive yes StrictHostKeyChecking no UserKnownHostsFile=/dev/null ConnectTimeout 10000

Host 52.X.X.X StrictHostKeyChecking no UserKnownHostsFile=/dev/null ConnectTimeout 10000 User ec2-user IdentityFile ~/.ssh/xxxxxprod.pem

Julius
- 2016-08-31T07:58:36+00:00
Fabrice Flore-Thébault reporter
My concern about this solution is that the secrets are not contained into the build/deploy project, but accessible to all bamboo projects. And it's exactly what situation I try to escape from.
- 2016-08-31T08:43:23+00:00
Hutuleac Iulius repo owner
True. We will sort it out no worries :)

I propose then to put 1 field ansible vault password for SSH lets try something like:
- I can dump it in a file if you like and you need to reference it from the inventory.
- I can add 2 fields: key & filename, will dump them in the bamboo_working_directory but will be your responsibility to load it from inventory file.
Julius
- 2016-08-31T10:04:25+00:00
Hutuleac Iulius repo owner
Released, check it out.
- 2016-08-31T17:28:12+00:00
Hutuleac Iulius repo owner
- changed status to resolved
- 2016-08-31T17:28:21+00:00
Hutuleac Iulius repo owner
- changed status to closed
- 2016-08-31T17:28:26+00:00
Fabrice Flore-Thébault reporter
thank you ! i will have a look today.
- 2016-09-01T07:29:14+00:00
Hutuleac Iulius repo owner
În order to keep your system secure I have removed the files after task execution.
- 2016-09-01T07:35:24+00:00
Fabrice Flore-Thébault reporter
NB: It would be nice to have the content of the SSH key masked as the ansible vault password.
- 2016-09-01T07:45:52+00:00
Hutuleac Iulius repo owner
This is causing an issue with Atlassian AUI, password fields cannot be multiline. I can try to hide it differently or when opening the task never load the previous value from DB, leave it empty
- 2016-09-01T09:34:38+00:00
Fabrice Flore-Thébault reporter
Maybe have the same presentation as in the SSH task ? Instead of a text input there is a file to upload. It makes quite logical that the file content is not displayed.
- 2016-09-01T09:43:16+00:00
Hutuleac Iulius repo owner
I can try to do it with file upload, need to check bamboo code to see how they did, I dont have same capabilities as the core components, some internals cannot be accessed from plugins.

Julius
- 2016-09-01T10:15:29+00:00
Fabrice Flore-Thébault reporter
Fair enough ! I am not a java coder, I don't know either how they did achieve that.
- 2016-09-01T12:10:52+00:00
Sergey Tsivin
Hi Iulius! Great thanks for creating this add-on! It is very helpful.

+1 for making the private key field a file upload button just like in SSH Task.
- 2016-09-28T16:35:51+00:00
Hutuleac Iulius repo owner
Thank you ! With so many plus'es what can I do I gotta implement something !

J
- 2016-09-28T18:37:47+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: major

Status: closed

Votes: 0

Watchers: 1