
IAM role
Identity and Access Management. Configure user and groups.
Usage
Configure the role.
iam_root_password: "{{ vault_iam_root_password }}"
iam_groups:
- name: wheel
sudoers_commands: ALL
- name: guests
- name: operators
sudoers_commands: /usr/bin/docker ps, /usr/bin/docker start *, /usr/bin/docker stop *, /usr/bin/docker restart *
iam_users:
- username: admin
state: present
comment: "Administrator"
ssh_public_key: "ssh-rsa ANzaC1yc2EA...KHgKLVcBaeKQ== admin@example.com"
groups: wheel,docker
shell: /bin/zsh
zshrc: |
PROMPT="$fg[cyan]%}$USER@%{$fg[blue]%}%m ${PROMPT}"
hosts:
- server1
- server2
- username: operator
state: present
groups: operators
hosts: "{{ groups.all }}"
- username: bot
state: present
comment: "Bot Example"
ssh_public_key: "ssh-ed25519 ANzaC1yc2EA...KHgKLVcBaeKQ== bot@example.com"
ssh_private_key: "{{ vault_bot_ssh_private_key }}"
hosts:
- server1
host_iam_users:
- username: bobmeyer
state: present
comment: "Bob Meyer"
passwort: "{{ vault_iam_users_bobmeyer_password }}"
hosts:
- server1
And include it in your playbook.
- hosts: iam
roles:
- role: iam
Kubernetes
Configure the manifest.
k8s_iam_service_account: k8s-deployer
And include it in your localhost playbook.
- hosts: localhost
roles:
- role: iam
Docs
Set password manually
Run sudo passwd $USERNAME
to set the password.
Add user to group manually
Run sudo usermod -a -G sshusers janikvonrotz
to add a user to a group.
Generate ssh key pair
Generate a ssh key pair for specified username.
SSH_USERNAME=bot
ssh-keygen -t ed25519 -C "$SSH_USERNAME" -f ./id_ed25519
echo "ssh_public_key: $(cat ./id_ed25519.pub)"
echo "vault_${SSH_USERNAME}_ssh_private_key: $(echo $(cat ./id_ed25519 | base64))"
Get Kubernetes service account token
The service account token ist stored as secret.
kubectl get secrets k8s-deployer -o json | jq -r '.data.token' | base64 --decode
Generate vault entry for ssh private key
A private key must be base64 encoded.
VAULT_ID=mint_system
SSH_USERNAME=bot
SSH_PRIVATE_KEY=$(echo "-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCuoR1PvK081rwrC5hlSXM7Q24cPQOpSlymLefnPiihxQAAAJjEbzDGxG8w
bhw9A6lKXKYt5+c+KKHFAAAAEmJvdEBtaW50LXN5c3RlbS5jaAECAw==
-----END OPENSSH PRIVATE KEY-----" | base64 -w 0)
task encrypt-string "$VAULT_ID" "vault_${SSH_USERNAME}_ssh_private_key: $SSH_PRIVATE_KEY"