Lost in external secrets battle please help!

[battlestargalactica]

Hello! I have been using AWX for over 4 years now and have seen much improvement along the way.

Something that is a bit unclear is how to utilize AWS Secrets Manager for a machine credential. That way - it pulls the password prior to runtime every time when executing a playbook. Then we are able to safely say that the password is never stored but rather is lookedup every time.

To make it easier for my users I would love to create a custom credential type they can leverage for AWS Secrets similar to Vault or Hashicorp. Is this possible? I am a bit lost on how to build it from scratch.

Thank you again for your help!

[AWX Project]

Hi, it is not currently possible to do the lookups for AWS Secrets Manager. A new credential plugin would need to be written to handle this, similar to the way we do lookups for hashivault credentials

see the hashivault implementation here https://github.com/ansible/awx/blob/devel/awx/main/credential_plugins/hashivault.py

Feel free to open an RFE on AWX Github, and as always, a PR with this implementation would be welcomed and reviewed by the AWX Team.

AWX Team

[battlestargalactica]

we have some code to test but not sure how to really apply it in our eks cluster - do you have a way for us to test the code or could we share with someone from the awx team?

[AWX Project]

The easiest way to test your code change is to use the docker based development environment. From within the awx repo you can run "make docker-compose" and it will start an AWX instance locally with your code changes.

Alternatively, you can build a k8s compatible AWX image using the "make awx-kube-build" command. Push the resulting image to a public repository like quay.io and then tell the awx-operator to use that AWX image.

AWX Team