Table of Contents
What does the Ansible apt_key module do?
Ansible’s apt_key module imports a GPG public key into the local APT GPG keyring with apt-key. After importing, the GPG key can used to verify deb packages from third party repositories. The Elasticsearch deb repository is a popular example of a third party repository that uses GPG signing to verify their packages.
Managing apt keys generally requires superuser/root permissions, so become: true is required in most cases.
The apt_key module is generally used in combination with the apt module and apt_repository module:
- name: import the elasticsearch apt key
apt_key:
url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
state: present
become: true
- name: install elasticsearch 6.x deb repository
apt_repository:
repo: deb https://artifacts.elastic.co/packages/6.x/apt stable main
state: present
become: true
- name: install elasticsearch 6.x
apt:
name: "{{ item }}"
state: present
update_cache: true
loop:
- openjdk-8-jre-headless
- elasticsearch
become: true
Examples
How to import a GPG key from a URL
Set the url parameter to the URL of the key and state: present to install a key from the internet. If the key is already installed, Ansible will do nothing. The example below shows how to import the Elasticsearch PGP key.
- name: import the elasticsearch apt key
apt_key:
url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
state: present
become: true
How to import a GPG key from a keyserver
You can import a GPG key directly from the keyserver (usually keyserver.ubuntu.com) by setting the id and keyserver parameters, if you have the ID of the GPG key.
- name: import the elasticsearch apt key from the keyserver
apt_key:
id: D88E42B4
keyserver: keyserver.ubuntu.com
state: present
become: true
How to import a GPG key from a file
You can import a GPG key from a local file by passing the file path to the file parameter.
- name: download the elasticsearch apt key
get_url:
url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
dest: /etc/elasticsearch.key
become: true
- name: install elasticsearch apt key from a file
apt_key:
file: /etc/elasticsearch.key
state: present
become: true
How to remove a GPG key from the APT keyring
You will need the ID of the key to remove it from the apt keyring. The key’s ID is the last 8 characters of its fingerprint, which you can get from the apt-key list command:
ubuntu@ip-10-1-11-79:~$ apt-key list
...
/etc/apt/trusted.gpg
--------------------
pub rsa2048 2013-09-16 [SC]
4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
uid [ unknown] Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>
sub rsa2048 2013-09-16 [E]
...
In the output above, the fingerprint of the Elasticsearch key is 4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4. The last 8 characters (excluding spaces) are D88E42B4, which is the ID of the key.
Set the id parameter and state: absent to remove the key.
- name: remove the elasticsearch apt key
apt_key:
id: D88E42B4
state: absent
become: true
How to capture apt_key module output
Use the register keyword to capture the output of the apt_key module.
- name: import the elasticsearch apt key
apt_key:
url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
state: present
become: true
register: apt_key_output
The debug task above will output the following:
ok: [123.123.123.123] => {
"apt_key_output": {
"changed": true,
"failed": false
}
}
Further reading
- Ansible
aptModule Tutorial + Examples - Ansible
apt_repositoryModule Tutorial + Examples - Ansible
apt_keyModule on Ansible Docs