We used Ansible Tower for a year. Now we use Rundeck to allow non-admin users to run playbooks. https://www.rundeck.com/ansible
On Thursday, May 3, 2018 at 2:07:41 PM UTC-4, Ayad wrote: > > Hi All > i'm trying to give a few users access to an an Ansible server to run > playbooks to do Application recycle on a few servers, these users should > not have access to the target servers for security reason, so there is what > i have and what has been done. > > ansible --version > ansible 2.4.2.0 > config file = /etc/ansible/ansible.cfg > > #inventory = /etc/ansible/hosts > > and here is the host file > > [jbservers] > server01 > server02 > > [all:vars] > ansible_ssh_user= someuser > ansible_ssh_private_key_file = /rsa/id_rsa > > my ansible server use a service account and Key based login > (Private/Public key) > i added a few users with limited access to the Ansible server, they can > access a directory to run playbooks from with no sudo or root access, only > permission to run a few playbooks. > > when the users run the playbooks targeting the servers in the ansible host > file the playbooks will fail with error message bellow when these users run > it. > > \nLoad key "/rsa/id_rsa": Permission denied\r\nPermission denied > (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n", "unreachable": > true} > > but if i give the users permission to access the ssh private key ( > /rsa/id_rsa) then they can run the playbooks with no issue. > > the question is: > how can i make users run these playbooks without giving them permissions > to read the private key (/rsa/id_rsa) ? > being looking since last night, can not find any way to do it, even with > ansible-vault doesnt seem to work. > > Thanks in advance for your help. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ecb5be05-2482-40ed-94bf-b2100c3437da%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
