ansible

change ansible_ssh_private_key_file within playbook

I'm building a playbook to convert a new vendor provided AMI and apply out standards to it. I have most of the tasks all sorted out, however the challenge I am facing is this:

/home gets mounted as a dedicated partition during the process, as soon as it's mounted /home/ec2-user is no longer available. What I'm trying to figure out his how to run a playbook as ec2-user long enough to create a service_account user in the same play. My thought is to configure my inventory and set ansible_user & ansible_ssh_private_key_file to the service_account user by default, but for the 3 tasks in the playbook where I need the ec2-user account, override those settings in vars: with remote_user setting. What I am unable to confirm/deny is if there is an accompanying ansible_ssh_private_key_file equivilant that can be configured with the path of the ec2-user private key.

Test playbook:

---
- hosts: all
  become: true
  gather_facts: yes
  vars:
  tasks:
    - name: Configure users
      block:
        - name: Configure Temporary Home
          ansible.builtin.file:
            vars:
              remote_user: ec2-user
              ansible_ssh_private_key_file: /home/me/.ssh/id_rsa_ec2-user
            path: /home1
            state: directory
            owner: root
            group: root
            serole: object_r
            setype: user_home_dir_t
            seuser: system_u

        - name: Configure service_account
          ansible.builtin.user:
            vars:
              remote_user: ec2-user
              ansible_ssh_private_key_file: /home/me/.ssh/id_rsa_ec2-user
            name: service_account
            password_lock: true
            comment: Service Account
            shell: /bin/bash
            home: /home1/service_account

        - name: Configure authorized keys
          ansible.posix.authorized_key:
            vars:
              remote_user: ec2-user
              ansible_ssh_private_key_file: /home/me/.ssh/id_rsa_ec2-user
            user: service_account
            state: present
            key: https://www.example.com:9090/ssh/pubkey

    - name: All other tasks here and below are executed as service_account
      ansible.builtin.debug:
        msg: "Oh hai!"
...
Solution

  • Using remote_user as a variable does not affect the ssh connection plugin

            - name: Configure service_account
          ansible.builtin.user:
          vars:
            remote_user: ec2-user
          ...

    Either use it as a keyword

            - name: Configure service_account
          remote_user: ec2-user
          ansible.builtin.user:
          vars:
          ...

    , or rename it to ansible_user

            - name: Configure service_account
          ansible.builtin.user:
          vars:
            ansible_user: ec2-user
          ...

    The options are equivalent.

    In your case, the easiest remedy is putting the variables into the block scope and removing them from the tasks

        - name: Configure users
      vars:
        ansible_user: ec2-user
        ansible_ssh_private_key_file: /home/me/.ssh/id_rsa_ec2-user
      block:
        ...