Ansible apt_key Module Tutorial + Examples


Percy Grunwald's Profile Picture

Written by Percy Grunwald

— Last Updated February 22, 2019

What does the Ansible apt_key module do?

Ansible’s apt_key module imports a GPG public key into the local APT GPG keyring with apt-key. After importing, the GPG key can used to verify deb packages from third party repositories. The Elasticsearch deb repository is a popular example of a third party repository that uses GPG signing to verify their packages.

Managing apt keys generally requires superuser/root permissions, so become: true is required in most cases.

The apt_key module is generally used in combination with the apt module and apt_repository module:

- name: import the elasticsearch apt key
  apt_key:
    url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
    state: present
  become: true

- name: install elasticsearch 6.x deb repository
  apt_repository:
    repo: deb https://artifacts.elastic.co/packages/6.x/apt stable main
    state: present
  become: true

- name: install elasticsearch 6.x
  apt:
    name: "{{ item }}"
    state: present
    update_cache: true
  loop:
    - openjdk-8-jre-headless
    - elasticsearch
  become: true

Examples

How to import a GPG key from a URL

Set the url parameter to the URL of the key and state: present to install a key from the internet. If the key is already installed, Ansible will do nothing. The example below shows how to import the Elasticsearch PGP key.

- name: import the elasticsearch apt key
  apt_key:
    url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
    state: present
  become: true

How to import a GPG key from a keyserver

You can import a GPG key directly from the keyserver (usually keyserver.ubuntu.com) by setting the id and keyserver parameters, if you have the ID of the GPG key.

- name: import the elasticsearch apt key from the keyserver
  apt_key:
    id: D88E42B4
    keyserver: keyserver.ubuntu.com
    state: present
  become: true

How to import a GPG key from a file

You can import a GPG key from a local file by passing the file path to the file parameter.

- name: download the elasticsearch apt key
  get_url:
    url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
    dest: /etc/elasticsearch.key
  become: true

- name: install elasticsearch apt key from a file
  apt_key:
    file: /etc/elasticsearch.key
    state: present
  become: true

How to remove a GPG key from the APT keyring

You will need the ID of the key to remove it from the apt keyring. The key’s ID is the last 8 characters of its fingerprint, which you can get from the apt-key list command:

ubuntu@ip-10-1-11-79:~$ apt-key list
...
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2013-09-16 [SC]
      4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4
uid           [ unknown] Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>
sub   rsa2048 2013-09-16 [E]
...

In the output above, the fingerprint of the Elasticsearch key is 4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4. The last 8 characters (excluding spaces) are D88E42B4, which is the ID of the key.

Set the id parameter and state: absent to remove the key.

- name: remove the elasticsearch apt key
  apt_key:
    id: D88E42B4
    state: absent
  become: true

How to capture apt_key module output

Use the register keyword to capture the output of the apt_key module.

- name: import the elasticsearch apt key
  apt_key:
    url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
    state: present
  become: true
  register: apt_key_output

The debug task above will output the following:

ok: [123.123.123.123] => {
    "apt_key_output": {
        "changed": true,
        "failed": false
    }
}

Further reading

Comments