semaphoreui / semaphore

Modern UI and powerful API for Ansible, Terraform, OpenTofu, PowerShell and other DevOps tools.
https://semaphoreui.com
MIT License
10.55k stars 1.06k forks source link

Feature: SSH key decryption at runtime #2493

Open barealek opened 1 week ago

barealek commented 1 week ago

Related to

Web-Backend (APIs), Ansible (task execution)

Impact

security improvements

Missing Feature

The ability to use encrypted SSH keys for running Ansible playbooks, where the key is decrypted at runtime with a password provided by the user running the job.

It is a major security concern for me that my whole infrastructure is secured by one environment variable. I am aware that the keys obviously can't be used for scheduling playbooks, but for running them on demand, this feature is extremely useful.

It is worth noting that Ansible Tower already has a feature like this: https://docs.ansible.com/ansible-tower/2.4.0/html/userguide/credentials.html#machine

Implementation

When creating a key in the key store, it should be possible to mark the password as "Ask for password at runtime." When running a playbook with that SSH key, a prompt for the decryption key would appear. The key would be decrypted in-memory and used solely for authenticating with the other server.

Design

No response

fiftin commented 1 week ago

Hi @barealek yes, it is good idea. Thank you

barealek commented 6 days ago

@fiftin Cool! I was wondering, what does the timeline look like in relation to an implementation? If it's months from now, I would be more than happy to make a PR with an implementation