Open barealek opened 1 week ago
Hi @barealek yes, it is good idea. Thank you
@fiftin Cool! I was wondering, what does the timeline look like in relation to an implementation? If it's months from now, I would be more than happy to make a PR with an implementation
Related to
Web-Backend (APIs), Ansible (task execution)
Impact
security improvements
Missing Feature
The ability to use encrypted SSH keys for running Ansible playbooks, where the key is decrypted at runtime with a password provided by the user running the job.
It is a major security concern for me that my whole infrastructure is secured by one environment variable. I am aware that the keys obviously can't be used for scheduling playbooks, but for running them on demand, this feature is extremely useful.
It is worth noting that Ansible Tower already has a feature like this: https://docs.ansible.com/ansible-tower/2.4.0/html/userguide/credentials.html#machine
Implementation
When creating a key in the key store, it should be possible to mark the password as "Ask for password at runtime." When running a playbook with that SSH key, a prompt for the decryption key would appear. The key would be decrypted in-memory and used solely for authenticating with the other server.
Design
No response