How to use AWX vault password

[Tony]

I have created a vault password in AWX and I would like to use it in a playbook.

something like

- name: Backup AWX

    debug: 

      msg: username=john password={{ ansible_vault_password }}

how do I do this?

Thanks

[John Westcott]

The vault password credential type allows you to decrypt vaults within your playbook.

Lets say john’s password is asdf1234 and you want to use that in the task your presented.

First create a vault for johns password like:

echo -n 'asdf1234' | ansible-vault encrypt_string --ask-vault-pass

New Vault password: 

Confirm New Vault password: 

Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)

!vault |

          $ANSIBLE_VAULT;1.1;AES256

          30313764383134623834376663376435336330316134366562626464373738306239323633623963

          3763313333616166666134613138393739373933326338660a626562646136393864663064353134

          37623163336337333535353533303233366136326430373930623230356333343961336230633739

          3231376663343163330a363261376639313238656234393336386661363938643739663565346662

          3630

Encryption successful

Note, this command asked me for a vault password. Here I entered something different then ‘asdf1234', lets say ‘qwerty1234'.

Now this vaulted text can be put into your playbook:

- name: Run AWX backups

  hosts: my_backup_server

  vars:

    johns_password: !vault |

          $ANSIBLE_VAULT;1.1;AES256

          30313764383134623834376663376435336330316134366562626464373738306239323633623963

          3763313333616166666134613138393739373933326338660a626562646136393864663064353134

          37623163336337333535353533303233366136326430373930623230356333343961336230633739

          3231376663343163330a363261376639313238656234393336386661363938643739663565346662

          3630

  tasks:  tasks:

    - name: Backup AWX
      debug:

        msg: "username=john password={{ johns_password }}"

If you try to run this playbook without specifying the vault password you will get an error like:

fatal: [localhost]: FAILED! => {"msg": "Attempting to decrypt but no vault secrets found"}

Now you can create your vault password credential in Tower giving it the password to unlock the vault (qwerty1234 in our example) and apply this credential to the job template.

AWX will pass the vault password into Ansible and Ansible will use the password to unlock the vault and your playbook with now run:

ok: [localhost] => {

    "msg": "username=john password=asdf1234"

}

There are several ways to use vaults in your playbooks, I chose to embed them as vars in this example because its compact. See the documentation for other methods.

Ansible vault docs: https://docs.ansible.com/ansible/latest/user_guide/vault.html

Tower vault credential type: https://docs.ansible.com/ansible-tower/latest/html/userguide/credentials.html#vault

In addition, there are other credential types including custom credentials in AWX.

If you don’t want to use the vaulted method and instead want to embed a password as a variable directly as your did in your example have a look at the custom credential types in AWX:

https://docs.ansible.com/ansible-tower/latest/html/userguide/credential_types.html

-John

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/222f7f5d-a169-4402-bf91-2e9a31b88691n%40googlegroups.com.

[Tony]

works brilliantly, thank you