How to use vault with AWX?
6,115 views
Skip to first unread message
Jean-Francois Anctil
Sep 14, 2017, 8:22:47 AM9/14/17
to AWX Project
Hi,
I have a vault.yml file and when I run a playbook from AWX that refers to a variable from the vault file, I got an error telling me that the variable can't be found. How can I use a vault in AWX?
Matthew Jones
Sep 14, 2017, 8:31:35 AM9/14/17
to Jean-Francois Anctil, AWX Project
You'll need to set up a vault credential and associate it with the job template that you are running.
On Thu, Sep 14, 2017 at 8:22 AM, Jean-Francois Anctil <ancti...@gmail.com> wrote:
Hi,I have a vault.yml file and when I run a playbook from AWX that refers to a variable from the vault file, I got an error telling me that the variable can't be found. How can I use a vault in AWX?
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/0b482267-bc95-433b-8803-b29bd27198d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Matt Jones
Principal Software Engineer
Ansible Tower
Jean-Francois Anctil
Sep 14, 2017, 8:35:58 AM9/14/17
to AWX Project
I forgot to mention it, but I already have the vault credential setted up and associated to my job template. Is there a precise folder where I should put the vault.yml file? For now, I have put it in the group_vars/all subdirectory of my inventory. Is it OK?
On Thursday, September 14, 2017 at 8:31:35 AM UTC-4, Matthew Jones wrote:
You'll need to set up a vault credential and associate it with the job template that you are running.
On Thu, Sep 14, 2017 at 8:22 AM, Jean-Francois Anctil <ancti...@gmail.com> wrote:
Hi,I have a vault.yml file and when I run a playbook from AWX that refers to a variable from the vault file, I got an error telling me that the variable can't be found. How can I use a vault in AWX?
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/0b482267-bc95-433b-8803-b29bd27198d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Matthew Jones
Sep 14, 2017, 9:11:36 AM9/14/17
to Jean-Francois Anctil, AWX Project
All you should need to do is stick it in a location that ansible would normally load vars from. Or if that's not possible, include it directly.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/e171290d-5a9f-46e7-8481-1a1c11f112dd%40googlegroups.com.
Jean-Francois Anctil
Sep 14, 2017, 9:24:11 AM9/14/17
to AWX Project
What do you mean "include it directly"?
Since I am able to run my playbooks manually on the server, it means that my vault.yml is loaded...
Here is the output from AWX:
TASK [deploy_scripts : Create the SSH private key file] ************************
09:18:56
77
fatal: [cls1-labo-04.capitale.qc.ca]: FAILED! => {"failed": true, "msg": "the field 'args' has an invalid value, which appears to include a variable that is undefined. The error was: 'vault_auto_it_bitbucket_private_key' is undefined\n\nThe error appears to have been in '/var/lib/awx/projects/_6__conformite/roles/deploy_scripts/tasks/deploy_scripts.yml': line 68, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Create the SSH private key file\n ^ here\n"}
And here is the validation that the variable exists in the vault.yml file:
ansible-vault view /data/jfanctil/projects/ansible-inventory/inventories/group_vars/all/vault.yml| grep vault_auto_it_bitbucket_private_key
Vault password:
vault_auto_it_bitbucket_private_key: |
What am I doing wrong?
On Thursday, September 14, 2017 at 9:11:36 AM UTC-4, Matthew Jones wrote:
All you should need to do is stick it in a location that ansible would normally load vars from. Or if that's not possible, include it directly.
On Thu, Sep 14, 2017 at 8:35 AM, Jean-Francois Anctil <ancti...@gmail.com> wrote:
I forgot to mention it, but I already have the vault credential setted up and associated to my job template. Is there a precise folder where I should put the vault.yml file? For now, I have put it in the group_vars/all subdirectory of my inventory. Is it OK?--
On Thursday, September 14, 2017 at 8:31:35 AM UTC-4, Matthew Jones wrote:You'll need to set up a vault credential and associate it with the job template that you are running.On Thu, Sep 14, 2017 at 8:22 AM, Jean-Francois Anctil <ancti...@gmail.com> wrote:Hi,--I have a vault.yml file and when I run a playbook from AWX that refers to a variable from the vault file, I got an error telling me that the variable can't be found. How can I use a vault in AWX?
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/0b482267-bc95-433b-8803-b29bd27198d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Matt JonesPrincipal Software EngineerAnsible Tower
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/e171290d-5a9f-46e7-8481-1a1c11f112dd%40googlegroups.com.
Jean-Francois Anctil
Sep 14, 2017, 9:34:54 AM9/14/17
to AWX Project
FYI: my setup is like this: I have 2 projects: one for my playbooks and one for my inventory. So, my template is bind to the playbooks's project and my vault.yml resides in the inventory's project. Could it be the problem?
On Thursday, September 14, 2017 at 9:11:36 AM UTC-4, Matthew Jones wrote:
All you should need to do is stick it in a location that ansible would normally load vars from. Or if that's not possible, include it directly.
On Thu, Sep 14, 2017 at 8:35 AM, Jean-Francois Anctil <ancti...@gmail.com> wrote:
I forgot to mention it, but I already have the vault credential setted up and associated to my job template. Is there a precise folder where I should put the vault.yml file? For now, I have put it in the group_vars/all subdirectory of my inventory. Is it OK?--
On Thursday, September 14, 2017 at 8:31:35 AM UTC-4, Matthew Jones wrote:You'll need to set up a vault credential and associate it with the job template that you are running.On Thu, Sep 14, 2017 at 8:22 AM, Jean-Francois Anctil <ancti...@gmail.com> wrote:Hi,--I have a vault.yml file and when I run a playbook from AWX that refers to a variable from the vault file, I got an error telling me that the variable can't be found. How can I use a vault in AWX?
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/0b482267-bc95-433b-8803-b29bd27198d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Matt JonesPrincipal Software EngineerAnsible Tower
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/e171290d-5a9f-46e7-8481-1a1c11f112dd%40googlegroups.com.
Message has been deleted
Christopher Meyers
Sep 14, 2017, 9:50:25 AM9/14/17
to AWX Project
Yep, the two project setup is a problem for your use case. The vault file needs to live in the same repo as your playbook. Once you do that, you can use a machine credential, associated with your job template, that contains your vault password.
Bill Nottingham
Sep 14, 2017, 10:21:34 AM9/14/17
to Jean-Francois Anctil, AWX Project
Jean-Francois Anctil (ancti...@gmail.com) said:
> I forgot to mention it, but I already have the vault credential setted up
> and associated to my job template. Is there a precise folder where I should
> put the vault.yml file? For now, I have put it in the group_vars/all
> subdirectory of my inventory. Is it OK?
Are you using inventory from a project? Inventory from a project does not
> I forgot to mention it, but I already have the vault credential setted up
> and associated to my job template. Is there a precise folder where I should
> put the vault.yml file? For now, I have put it in the group_vars/all
> subdirectory of my inventory. Is it OK?
currently support vaulted variables.
Bill
Jean-Francois Anctil
Sep 14, 2017, 10:52:43 AM9/14/17
to AWX Project
Yes, that's what I am using, because I didn't find a way to retrieve my inventory from a on-premise git repository. The only options available for sources are "solutions" one. Our inventory is stored in a git repository and that's why I used a project to retrieve it... Do you have another idea on how we should do it?
raf.nijs...@gmail.com
Sep 24, 2017, 2:28:06 PM9/24/17
to AWX Project
It works when running it manually:
awx-manage inventory_import --inventory-id={{id}} --source inventory/ --overwrite --overwrite-vars
If you have a local ansible.cfg with the setting for vaultpassword-file it will actually use that.
Unfortunately, this makes it is no longer a dynamic inventory.
Alan Rominger
Sep 25, 2017, 8:00:33 AM9/25/17
to raf.nijs...@gmail.com, AWX Project
It sounds like your question comes down to this enhancement issue that we have open.
The need for this is new with the introduction of SCM-based inventory, and ansible-inventory allows for it. I'm very excited about adding this, but we still need to pass through the data in a secure way from the code that runs the task to the inventory import management command. So there is work to be done.
Until that's done, you might also be able to accomplish your overall goal using the custom credential type injection methods - you save your secret data in a credential, and use it in the script.
Alan
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/fd1bd33e-1bb4-49ac-a3f2-00b22fcd89f7%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages