Ansible file lookup works for debug, but doesn't work for authorized_key module — how to implement taking key from a file?

Question

I am trying to build a playbook which includes distributing authorized SSH keys.

Each user's key is put into its own file named after the username. Users who need to be distributed are set in the variable, and then it uses lookup to read files in a loop. Strange enough, debug module works, but authorized_key module doesn't work with exactly same lookup. This is the playbook:

- hosts: hosts
  vars_files:
  - users-config.yaml
  tasks:
  - debug:
      msg: "{{ lookup('file', 'ssh_keys/' + item.username) }}"
    when: item.state == "present"
    loop: "{{ users }}"
  - name: distirbute authorized_keys
    ansible.posix.authorized_key:
      user: "{{ item.key }}"
      key: "{{ lookup('file', 'ssh_keys/' + item.username) }}"
      manage_dir: true
    when: item.state == "present"
    loop: "{{ users }}"

users-config.yaml has the following structure:

users:
- username: apushkin
  gecos: Alexander Pushkin
  state: present
  groups: wheel
- username: nkhrushchev
  gecos: Nikita Khrushchev
  state: present
  groups: wheel

ssh_keys/apushkin and nkhrushchev each contain one or several SSH keys and are readable. The ansible-playbook --check playbook.yaml results in the following output:

TASK [debug] ********************************************************************************************************************************************************************************
ok: [host1] => (item={'username': 'apushkin', 'gecos': 'Alexander Pushkin', 'state': 'present', 'groups': 'wheel'}) => {
    "msg": "ssh-rsa AAAA..."
}
ok: [host1] => (item={'username': 'nkhrushchev', 'gecos': 'Nikita Khrushchev', 'state': 'present', 'groups': 'wheel'}) => {
    "msg": "ecdsa-sha2-nistp384 AAAA...\nssh-ed25519 AAAA..."
}
ok: [host2] => (item={'username': 'apushkin', 'gecos': 'Alexander Pushkin', 'state': 'present', 'groups': 'wheel'}) => {
    "msg": "ssh-rsa AAAA..."
}
ok: [host2] => (item={'username': 'nkhrushchev', 'gecos': 'Nikita Khrushchev', 'state': 'present', 'groups': 'wheel'}) => {
    "msg": "ecdsa-sha2-nistp384 AAAA...\nssh-ed25519 AAAA..."
}

TASK [distribute authorized_keys] ***********************************************************************************************************************************************************
fatal: [host1]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'key'\n\nThe error appears to be in '/home/username/Ansible/playbook.yaml': line 9, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n    loop: \"{{ users }}\"\n  - name: distribute authorized_keys\n    ^ here\n"}
fatal: [host2]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'key'\n\nThe error appears to be in '/home/username/Ansible/playbook.yaml': line 9, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n    loop: \"{{ users }}\"\n  - name: distribute authorized_keys\n    ^ here\n"}

Why? Is there an alternate way of doing this?

Answer 1

This is the key (no pun intended):

'dict object' has no attribute 'key'

Your users definition has not attribute key. You most probably want to use username instead.

    ansible.posix.authorized_key:
      user: "{{ item.username }}"