How to perform a cyberarkpassword lookup for all hosts in an inventory group and write the keys out to individual pem files?

Ansible version 2.7.9

I'm writing an ansible playbook to deploy a piece of software to a Linux environment. SSH access to these systems is protected by a CPM (Cyberark), used as an ssh key manager.

I've got most of the logic figured out, save for one piece. The playbook needs to loop through hosts in an inventory group, look up the ssh private key in Cyberark for each host and then use each key to ssh into each host in the inventory group to install the software. I'm struggling with how to make that work in ansible.

I've read through the add_host and cyber ark password documentation, as well as about 4 hours worth of searching StackOverflow and blogs, and couldn't find a single example even close to what I'm trying to do.

As far as how I think it should work:

  • Using the cyberark password lookup module, loop through hosts in the inventory group specified by {{ env }}. Value for this will be passed in through --extra-args.
  • Retrieve the ssh private key for each host.
  • Register the output from the lookup, and copy to disk, again looping through each host, and naming the file with {{ inventory_hostname }}.pem
  • Finally, to consume it in the next play, set a variable ansible_ssh_common_args: "-o StrictHostKeyChecking=no -i {{ deploy_temp_dir}}/keys/{{ inventory_hostname }}.pem"

But I can't figure out how to put the loop-lookup-write to disk piece together.

Python 26-08-22, 10:57 a.m. raivivan

Log-in to answer to this question.