Is there a way to install a private key for a user with cloud-init?

courtlanda

I have a user that needs to authenticate against a company source repository when using git clone. To set this up for the user I need to specify a users private key (not the host private key in /etc). Is there a method to do this?

The user it configured with https://cloudinit.readthedocs.io/en/latest/topics/examples.html?highlight=system_info#including-users-and-groups , which doesn't have a mechanism to install the user's private key.

Note: Let's say you're provisioning a a new machine and adding a user bob on it. How do you install a private key for a bob such that he can authenticate with something using ssh?

tahishae

Update

Oops, Don't do this. It was pointed out to me that this was wholly insecure as curl http://169.254.169.254/latest/user-data will show you any unprivileged user the private keys. The data gets saved as /run/cloud-init/instance-data.json

Original post

There is no module to make this easier, and there is no argument under system_info (how you add and configure the user) to ease the ability to configure the user's SSH keys. The way I went about this was adding something like this in my main.tf to populate the variable ssh_keys_user

ssh_keys_user = {
  write_files = [
    {
      path        = "/home/ecarroll/.ssh/id_rsa"
      content     = file("./ssh/user/cp-terraform-user-id_rsa")
      owner       = "ecarroll:ecarroll"
      permissions = "0600"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_rsa.pub"
      content     = file("./ssh/user/cp-terraform-user-id_rsa.pub")
      owner       = "ecarroll:ecarroll"
      permissions = "0644"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_ecdsa"
      content     = file("./ssh/user/cp-terraform-user-id_ecdsa")
      owner       = "ecarroll:ecarroll"
      permissions = "0600"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_ecdsa.pub"
      content     = file("./ssh/user/cp-terraform-user-id_ecdsa.pub")
      owner       = "ecarroll:ecarroll"
      permissions = "0644"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_ed25519"
      content     = file("./ssh/user/cp-terraform-user-id_ed25519")
      owner       = "ecarroll:ecarroll"
      permissions = "0600"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_ed25519.pub"
      content     = file("./ssh/user/cp-terraform-user-id_ed25519.pub")
      owner       = "ecarroll:ecarroll"
      permissions = "0644"
      defer       = true
    }
  ]
}

Then what I did was wired it into my cloud-init like this,

write_files:
${ yamlencode( ssh_keys_user.write_files ) }

I generated these files with a Makefile like this,

user/cp-terraform-user-id_ecdsa:
        -mkdir user 2> /dev/null;
        ssh-keygen -C "User key for SSH authentication to repos" -N "" -b 521 -t ecdsa -f "$@";
        touch "$@";
user/cp-terraform-user-id_ed25519:

-mkdir user 2> /dev/null;

ssh-keygen -C "User key for SSH authentication to repos" -N "" -t ed25519 -f "$@";

touch "$@";
user/cp-terraform-user-id_rsa:

-mkdir user 2> /dev/null;

ssh-keygen -C "User key for SSH authentication to repos" -N "" -b 4096 -t rsa -f "$@";

touch "$@";

This works fine. Then I just added the .pub files to BitBucket and GitLab.