Try to get all the fedimg keys in the right place.

playbooks/groups/fedimg.yml

@@ -57,7 +57,16 @@
 
   roles:
   - fedmsg/hub
-  - fedimg
+  - role: fedimg
+    aws_keyname: fedimg-dev
+    aws_keypath: /etc/pki/fedimg/fedimg-dev
+    aws_pubkeypath: /etc/pki/fedimg/fedimg-dev.pub
+    when: env == 'staging'
+  - role: fedimg
+    aws_keyname: releng-ap-northeast-1
+    aws_keypath: /etc/pki/fedimg/fedimg-prod
+    aws_pubkeypath: /etc/pki/fedimg/fedimg-prod.pub
+    when: env != 'staging'
   - role: collectd/fedmsg-service
     process: fedmsg-hub
 

roles/fedimg/tasks/main.yml

@@ -65,13 +65,8 @@
   copy: src={{private}}/files/fedimg/{{item}} dest=/etc/pki/fedimg/{{item}}
         owner=fedmsg group=fedmsg mode=0100
   with_items:
-  # TODO -- we should be using the 'prod' "official account" creds here, but we
+  - fedimg-prod
-  # don't have access to them yet.  In the mean time, just re-used the
+  - fedimg-prod.pub
-  # "community account" creds from staging.
-  #- fedimg-prod
-  #- fedimg-prod.pub
-  - fedimg-dev
-  - fedimg-dev.pub
   notify:
   - restart fedmsg-hub
   when: env != "staging"

roles/fedimg/templates/fedimg.cfg

@@ -18,9 +18,11 @@ access_id = {{fedimg_aws_prod_access_id}}
 secret_key = {{fedimg_aws_prod_secret_key}}
 {% endif %}
 iam_profile = {{aws_iam_profile}}
+
 keyname = {{aws_keyname}}
 keypath = {{aws_keypath}}
 pubkeypath = {{aws_pubkeypath}}
+
 test = {{aws_test}}
 amis = ap-northeast-1|RHEL|6.5|x86_64|ami-e7aee0e6|aki-176bf516
        ap-southeast-1|RHEL|6.5|x86_64|ami-c683df94|aki-503e7402

roles/fedimg/vars/main.yml

@@ -5,7 +5,4 @@ aws_util_username: ec2-user
 aws_test_username: fedora
 # access_id and secret_key are in private vars
 aws_iam_profile: "arn:aws:iam::013116697141:user/oddshocks"
-aws_keyname: fedimg-dev
-aws_keypath: /etc/pki/fedimg/fedimg-dev
-aws_pubkeypath: /etc/pki/fedimg/fedimg-dev.pub
 aws_test: "/bin/true"