cloud-init script for AWS CentOS to use Ansible-Pull on startup

cloud-init

#!/bin/bash
# Set this script as the AWS user-data for a fresh CentOS AMI
# It will be run on startup, and logs to /var/log/cloud-init.log
rpm -iUvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y update
yum -y install epel-release
yum -y install ansible
yum -y install git
mkdir -p /home/centos/.ssh
cat <<EOF > /home/centos/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
EOF
chmod go-rw /home/centos/.ssh/id_rsa
cat <<EOF > /etc/boto.cfg
[Credentials]
aws_access_key_id = ABC123
aws_secret_access_key = ABC123ABC123
EOF
mkdir -p /usr/local/mbst
ansible-pull -C master -d /usr/local/mbst/ansible -U git@gitlab.com:account/repo.git --key-file /home/centos/.ssh/id_rsa --accept-host-key --full

Hi grrywlsn,

I am looking to achieve the same as your script does but in more secure way. Your script contains sensitive data (eg. private key or a password) which is not protected by cryptographic methods. This is what AWS says:

Important

Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata. Therefore, you should take suitable precautions to protect sensitive data (such as long-lived encryption keys). You should not store sensitive data, such as passwords, as user data.

Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
R