How to use Credentials in AWX playbook
9,508 views
Skip to first unread message
dov...@yahoo.com
Jun 26, 2018, 8:51:42 PM6/26/18
to AWX Project
Hi All,
I am just new on the AWX and ansible. How do i tell the playbook to use the credentials on a playbook that is going to be run via AWX?. I create the credentials via AWX GUI for Network in my case. What variable or values i need to pass it on the playbook so that AWX will grab it properly to use it?.
currently my playbook is like this on ansible.
---
- name: Show Config
hosts: FW
connection: local
vars_files:
- /etc/ansible/vars/creds.yml
tasks:
# - name: Get credentials
# include_vars: secrets.yml
- name: show config
asa_command:
commands:
- show run
provider:
username: "{{ansible_user}}"
password: "{{ansible_ssh_pass}}"
authorize: yes
auth_pass: "{{ansible_auth_pass}}"
Regards,
S.Suresh
samineni
Jun 26, 2018, 11:19:55 PM6/26/18
to dov...@yahoo.com, AWX Project
Suresh,
Add survey option is there to provide the run time variables.
instead of calling from another yml.
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/7fbbe42c-bce2-4e68-818f-9049d13a8bc6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dov...@yahoo.com
Jun 27, 2018, 10:51:11 AM6/27/18
to AWX Project
Maybe i should re-word my question,
How i can modify the above playbook so that vault/credentials can be accessed/invoked/used in the playbook via template?.
S.Suresh
Daniel Macuare
Aug 1, 2018, 4:06:14 AM8/1/18
to AWX Project
This is a great question... I'm having exactly the same issue and I'm struggling to get information about this.
How can I reference a Credential I've set up in AWX.
If my playbook looks like this (See below), how can I tell Ansible to look for the Private key and the username created in the AWX-Credentials area?
How can I reference a Credential I've set up in AWX.
If my playbook looks like this (See below), how can I tell Ansible to look for the Private key and the username created in the AWX-Credentials area?
---
- name: NET - PULLING CONFIG
hosts: OFFICES
connection: local
gather_facts: no
roles:
- Juniper.junos
tasks:
- name: Retrieving full config from devices
juniper_junos_config:
host: '{{ inventory_hostname }}'
user: 'netscript'
ssh_private_key_file: '~/.ssh/test_key'
port: 830
timeout: 300
format: text
return_output: false
retrieve: committed
dest_dir: "output/"
tags:
- get_conf
Christopher Meyers
Aug 1, 2018, 10:40:25 AM8/1/18
to AWX Project
Hi all,
Credentials are injected in the running Ansible environment in 3 ways:
1. env variables
2. ansible extra variables
3. files (usually with an env variable pointing at the file path)
Suresh,
Your using network credentials. These are injected via ENV variables. Specifically:
for network_cred in job.network_credentials:
env['ANSIBLE_NET_USERNAME'] = network_cred.username
env['ANSIBLE_NET_PASSWORD'] = decrypt_field(network_cred, 'password')
ssh_keyfile = cred_files.get(network_cred, '')
if ssh_keyfile:
env['ANSIBLE_NET_SSH_KEYFILE'] = ssh_keyfile
authorize = network_cred.authorize
env['ANSIBLE_NET_AUTHORIZE'] = six.text_type(int(authorize))
if authorize:
env['ANSIBLE_NET_AUTH_PASS'] = decrypt_field(network_cred, 'authorize_password')In Ansible, you use a lookup to get environment variables. ie. lookup('env','ANSIBLE_NET_USERNAME')
Daniel,
Looks like you want:
---
- name: NET - PULLING CONFIG
hosts: OFFICES
connection: local
gather_facts: no
roles:
- Juniper.junos
tasks:
- name: Retrieving full config from devices
juniper_junos_config:
host: '{{ inventory_hostname }}'
user: '{{ lookup(env, "ANSIBLE_NET_USERNAME" }}'
ssh_private_key_file: '{{ lookup(env, "ANSIBLE_NET_SSH_KEYFILE") }}'
port: 830
timeout: 300
format: text
return_output: false
retrieve: committed
dest_dir: "output/"
tags:
- get_conf
Daniel Macuare
Aug 6, 2018, 7:49:32 AM8/6/18
to AWX Project
Hi Chris,
Thanks for your clear answer. Based on it, I could see I wasn't using a Network-type credential but machine-type credentials instead. I've now changed my credential to this and I can see some content in the `ANSIBLE_NET_SSH_KEYFILE`
However, I'm still unable to access my devices. As the content of the ssh file is encrypted, is it expected to see the following:?
SSH Key file content
I'm struggling as I cannot see what I'm passing to my network devices as a credential.
Task 1- To debug the content of the ANSIBLE_NET_SSH_KEYFILE that I'm using to pass to my devices on the 2 task
Thanks for your clear answer. Based on it, I could see I wasn't using a Network-type credential but machine-type credentials instead. I've now changed my credential to this and I can see some content in the `ANSIBLE_NET_SSH_KEYFILE`
However, I'm still unable to access my devices. As the content of the ssh file is encrypted, is it expected to see the following:?
SSH Key file content
TASK [Show the content of the SSH Key] *****************************************
ok: [man3-rc-core4500-01] => {
"msg": "/tmp/awx_77_dZzrdo/tmpli6mRb"
In an ideal scenario, shouldn't I see something like this: instead ?
msg: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED .....
I'm struggling as I cannot see what I'm passing to my network devices as a credential.
Error
Next, you can see the playbook I'm using. I've got 2 tasks:TASK [Retrieving full config from devices] *************************************
e30=DeyJ1dWlkIjogIjJiZDMzZmE0LTMxZjItNDMwZi1iMDExLTE5NWU0MGNkM2Q5OCJ9Dfatal: [man3-rc-voip4200-04]: FAILED! => {"changed": false, "msg": "Unable to make a PyEZ connection: ConnectAuthError(man3-rc-core4500-01)"}
Task 1- To debug the content of the ANSIBLE_NET_SSH_KEYFILE that I'm using to pass to my devices on the 2 task
Task 2 - Pass the credentials to my network devices.
Pbook
Pbook
---
- name: NET - PULLING CONFIG
hosts: OFFICES
connection: local
gather_facts: no
roles:
- Juniper.junos
tasks:
- name: Show the content of the SSH Key
debug:
msg: '{{ lookup("env", "ANSIBLE_NET_SSH_KEYFILE") }}'
- name: Retrieving full config from devices
juniper_junos_config:
host: '{{ inventory_hostname }}'
user: 'netscript'
ssh_private_key_file: '{{ lookup("env", "ANSIBLE_NET_SSH_KEYFILE") }}'
port: 830
timeout: 300
format: text
return_output: false
retrieve: committed
dest_dir: 'output/'
tags:
- get_confIs there something else I can do to troubleshoot this issue?
Thanks for your comments in advance.
Christopher Meyers
Aug 6, 2018, 8:25:41 AM8/6/18
to AWX Project
- name: Show the content of the SSH Key
debug:
msg: '{{ lookup("env", "ANSIBLE_NET_SSH_KEYFILE") }}'
^^ will not show the contents of the file, it will just print the file location.
{{ lookup("file", "ANSIBLE_NET_SSH_KEYFILE" }} <-- will print the contents of the file.
I'm not super familiar with network modules. Might you need to tell the networking modules to accept ssh host keys?
Daniel Macuare
Aug 6, 2018, 9:02:46 AM8/6/18
to AWX Project
Thanks Chris,
As per the Juniper network module documentation I'm using, the default behavior for this module is to look for the path this way:
The first defined value from the following list
1) The
2) The value specified using the
3) none (the file specified in the user's SSH configuration, or the operating-system-specific default)
If that's the case then AWX is passing the following path to the module:
/tmp/awx_77_dZzrdo/tmpli6mRb
Which as I understand would be the location of the network-type credential (encrypted). Should then the module be able to decrypt the file by itself?.
Based on your suggestion I've modified my playbook to output the content of the file
As per the Juniper network module documentation I'm using, the default behavior for this module is to look for the path this way:
The first defined value from the following list
1) The
ANSIBLE_NET_SSH_KEYFILE environment variable. (used by Ansible Tower) 2) The value specified using the
--private-key or --key-file command line arguments to the ansibleor ansible-playbook command. 3) none (the file specified in the user's SSH configuration, or the operating-system-specific default)
If that's the case then AWX is passing the following path to the module:
/tmp/awx_77_dZzrdo/tmpli6mRb
Which as I understand would be the location of the network-type credential (encrypted). Should then the module be able to decrypt the file by itself?.
Based on your suggestion I've modified my playbook to output the content of the file
- name: Show the content of the SSH Key
debug:
msg: '{{ lookup("file", "ANSIBLE_NET_SSH_KEYFILE") }}'TASK [Show the content of the SSH Key] *****************************************
[WARNING]: Unable to find 'ANSIBLE_NET_SSH_KEYFILE' in expected paths (use
-vvvvv to see paths)
fatal: [man3-rc-core4500-01]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: ANSIBLE_NET_SSH_KEYFILE"}
[WARNING]: Unable to find 'ANSIBLE_NET_SSH_KEYFILE' in expected paths (use
-vvvvv to see paths)What I'm trying to understand here is if this is expected from the AWX perspective or if this is something the 3rd party (Juniper) is failing to handle from its module?
Thanks once again for your help and for taking the time to answer this query.
Regards
Christopher Meyers
Aug 6, 2018, 10:19:45 AM8/6/18
to daniel...@gmail.com, AWX Project
My mistake, you need a lookup nested in your lookup. One lookup to get the filename, another lookup to read the file. i.e.
{{ lookup("file", lookup("env", "ANSIBLE_NET_SSH_KEYFILE")) }}
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/604f7d25-85c7-4619-b83a-2de2694b56f8%40googlegroups.com.
Daniel Macuare
Aug 6, 2018, 12:16:53 PM8/6/18
to AWX Project
Ohh no probs Chris,
The minute I posted my reply I realised that what you're saying about reading the path first and then the content. I have restructured my playbook now to achieve it, read the path and then the content.
What I can see in stdout is the content of the private key (as expected) but I'm a bit unsure of whether I should see the new lines \n. Is this expected? When I copy my private key to AWX, obviously there are some newlines \n (invisible) in it. Please have a look at the output of task 2.
Task 1 Output (The path that AWX is using to store my encrypted private key)
Task2 Output (The content of my private key unencrypted - You can see the \n)
See the end of lines... \n --> I'm not too sure if this is actually what gets passed to the network module. I guess it is but if that's the case, would that be a problem?
Task 3 - Network Module Error
The minute I posted my reply I realised that what you're saying about reading the path first and then the content. I have restructured my playbook now to achieve it, read the path and then the content.
What I can see in stdout is the content of the private key (as expected) but I'm a bit unsure of whether I should see the new lines \n. Is this expected? When I copy my private key to AWX, obviously there are some newlines \n (invisible) in it. Please have a look at the output of task 2.
Task 1 Output (The path that AWX is using to store my encrypted private key)
ok: [man2-rc-access4200-09a] => {
"msg": "/tmp/awx_92_i0z9B7/tmpZvwup0"Task2 Output (The content of my private key unencrypted - You can see the \n)
ok: [man2-rc-access4200-09a] => {
"msg": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-128-CBC,14\n\nPRIVATE_RANDOM_KEY_n/xZiB\n-----END RSA PRIVATE KEY-----",
See the end of lines... \n --> I'm not too sure if this is actually what gets passed to the network module. I guess it is but if that's the case, would that be a problem?
Task 3 - Network Module Error
TASK [Retrieving full config from devices] *************************************
e30=DeyJ1dWlkIjogImFkNmU2YTM0LWVjNmMtNDY0My04OTYwLTQ1MDlhZTg5YjE5NSJ9Dfatal: [man3-rc-voip4200-02]: FAILED! => {"changed": false, "msg": "Unable to make a PyEZ connection: ConnectAuthError(man3-rc-voip4200-02)"}
Pbook
---
- name: NET - PULLING CONFIG
hosts: OFFICES
connection: local
gather_facts: no
roles:
- Juniper.junos
tasks:
- name: Show the path of the SSH Key passed from AWX
debug:
msg: '{{ SSH_LOCATION }}'
- name: Show the content of the SSH Key passed from AWX
debug:
msg: '{{ lookup("file", "{{ SSH_LOCATION }}") }}'
- name: Retrieving full config from devices
juniper_junos_config:
host: '{{ inventory_hostname }}'
user: 'netscript'
ssh_private_key_file: '{{ SSH_LOCATION }}'
port: 830
timeout: 300
format: text
return_output: false
retrieve: committed
dest_dir: 'output/'
tags:
- get_conf
Group_vars - In the inventory file for testing
[OFFICES:vars]
SSH_LOCATION='{{ lookup("env", "ANSIBLE_NET_SSH_KEYFILE") }}'
The next test I'm going to do is to get inside the AWX_task_1 container and test locally to see if the network module works fine. To do this I will:
- Create my ssh key in ~/.ssh/test_key
- export ANSIBLE_NET_SSH_KEYFILE=''~/.ssh/test_key"
- echo $ANSIBLE_NET_SSH_KEYFILE
- Run the same playbook locally inside the docker container to see how the file is read, what is passed to the module and more importantly... Test if the module works this way.
Thanks for all your help so far. I really appreciate and I hope this issue can help someone else as well.
I will come back tomorrow with my findings.
Daniel Macuare
Aug 6, 2018, 12:35:01 PM8/6/18
to AWX Project
I couldn't resist on trying now and it worked locally from the container. Not from AWX though but I'm getting really close :)
From inside the AWX_TASK_1 container, I can see that key totally matches to what AWX is passing to the network module.
Now, the only difference that I can think of is that locally from the container I'm using the ansible-playbook -k option to pass my ssh_key passphrase to the network module. Is there any way to replicate this in AWX?
I've added my passphrase to the network-type credentials so it should be encrypted. However, I don't know to what environment variable this gets mapped to.
Is there any way I can pass passphrase from AWX to the network module?. What would it be the environment variable I should user for this?
Just to be clear on what I'm thinking. Something like this
From inside the AWX_TASK_1 container, I can see that key totally matches to what AWX is passing to the network module.
Now, the only difference that I can think of is that locally from the container I'm using the ansible-playbook -k option to pass my ssh_key passphrase to the network module. Is there any way to replicate this in AWX?
I've added my passphrase to the network-type credentials so it should be encrypted. However, I don't know to what environment variable this gets mapped to.
Is there any way I can pass passphrase from AWX to the network module?. What would it be the environment variable I should user for this?
Just to be clear on what I'm thinking. Something like this
- name: Retrieving full config from devices
juniper_junos_config:
host: '{{ inventory_hostname }}'
user: 'netscript'
ssh_private_key_file: '{{ SSH_LOCATION }}'
password: '{{ ANSIBLE_NET_SSH_KEY_PASSPHRASE }}'
port: 830
timeout: 300
format: text
return_output: false
retrieve: committed
dest_dir: 'output/'
tags:
- get_conf
Thanks again.
Daniel Macuare
Aug 7, 2018, 7:17:34 AM8/7/18
to AWX Project
Hi Chris,
I'd like to thank you for all your support. Really appreciated!!
I've managed to make it work now with the following pbook and credentials
I'd like to thank you for all your support. Really appreciated!!
I've managed to make it work now with the following pbook and credentials
- name: NET - PULLING CONFIG
hosts: OFFICES
connection: local
gather_facts: no
roles:
- Juniper.junos
tasks:
# COMMENTED WAS USED FOR DEBUGGING PURPOSES
# - name: Show the path of the SSH Key passed from AWX
# debug:
# msg: '{{ SSH_LOCATION }}'
# - name: Show the content of the SSH Key passed from AWX
# debug:
# msg: '{{ lookup("file", "{{ SSH_LOCATION }}") }}'
# - name: Show the content of the SSH Passphrase from AWX
# debug:
# msg: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
- name: Retrieving full config from devices
juniper_junos_config:
host: '{{ inventory_hostname }}'
user: 'netscript'
ssh_private_key_file: '{{ SSH_LOCATION }}'
passwd: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
port: 830
timeout: 300
format: text
return_output: false
retrieve: committed
dest_dir: 'output/'
tags:
- get_conf
As a side note. The ANSIBLE_NET_PASSWORD gets passed from the AWX "password" field on the Network-type credential (See picture attached). I would like to understand to where, the "private key passphrase" field gets mapped to.
How can I get information about the environment variables that AWX uses to map it's credential fields?. Is there any documentation page that shows me what you've been telling me?
I'm leaving the information here hoping that some else comes across the same issue and can benefit of this loop.
Thanks and regards.
Christopher Meyers
Aug 7, 2018, 12:20:38 PM8/7/18
to Daniel Macuare, AWX Project
Daniel,
You found a bug. https://github.com/ansible/awx/issues/2150
Note that AWX fills in passwords for prompted ssh passwords for you it does NOT inject them for your use as an environment variable.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/50b947ed-a05b-4b36-9207-10983167c793%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Christopher Meyers
Aug 9, 2018, 6:07:55 PM8/9/18
to AWX Project
This should fix your problem. Can you verify it when it lands? https://github.com/ansible/awx/pull/2158
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/50b947ed-a05b-4b36-9207-10983167c793%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Daniel M
Aug 10, 2018, 4:38:51 AM8/10/18
to cme...@redhat.com, awx-p...@googlegroups.com
Hi Chris,
I'm out of the office today but I'll give that a try on Monday to see if this works properly now.
I'll update this post with my findings.
Thanks
I'm out of the office today but I'll give that a try on Monday to see if this works properly now.
I'll update this post with my findings.
Thanks
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/50b947ed-a05b-4b36-9207-10983167c793%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to a topic in the Google Groups "AWX Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/awx-project/ce95ooS2sp0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/dd9ae5bf-6aa7-4a5c-81b9-c8ad5166baa5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Christopher Meyers
Aug 14, 2018, 10:13:19 AM8/14/18
to Daniel Macuare, AWX Project
Daniel,
Did you get a chance to test this? We've since released a new version of AWX that this fix is in.
Thanks,
-Chris
Christopher Meyers
Aug 20, 2018, 10:42:03 AM8/20/18
to AWX Project
ping
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/50b947ed-a05b-4b36-9207-10983167c793%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to a topic in the Google Groups "AWX Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/awx-project/ce95ooS2sp0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/dd9ae5bf-6aa7-4a5c-81b9-c8ad5166baa5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Daniel Macuare
Aug 21, 2018, 6:43:34 AM8/21/18
to AWX Project
Hi Chris,
Sorry, but I haven't' had much time lately to do any work for my AWX project. I'm now using the devel branch for the test and I can see your commit on the logs so I can see the fix is there.
Can you please guide me on the expected result or how can I test this fix?. I've been reading your fix and the build_password() function and as I understand, based on your comment the fix should prefer the ssh passphrase over the password?
Anyway, this is my current pbook
Sorry, but I haven't' had much time lately to do any work for my AWX project. I'm now using the devel branch for the test and I can see your commit on the logs so I can see the fix is there.
Can you please guide me on the expected result or how can I test this fix?. I've been reading your fix and the build_password() function and as I understand, based on your comment the fix should prefer the ssh passphrase over the password?
Anyway, this is my current pbook
---
- name: NET - PULLING CONFIG
hosts: OFFICES
connection: local
gather_facts: no
roles:
- Juniper.junos
tasks:
- name: Show the path of the SSH Key passed from AWX
debug:
msg: '{{ SSH_LOCATION }}'
- name: Show the content of the SSH Key passed from AWX
debug:
msg: '{{ lookup("file", "{{ SSH_LOCATION }}") }}'
- name: Show the content of the ssh password field from AWX
debug:
msg: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
- name: Retrieving full config from devices
juniper_junos_config:
host: '{{ inventory_hostname }}'
user: 'netscript'
ssh_private_key_file: '{{ SSH_LOCATION }}'
passwd: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
port: 830
timeout: 300
format: text
return_output: false
retrieve: committed
dest_dir: 'output/'
tags:
- get_conf
The SSH_LOCATION variable is been passed from AWX to Ansible using the Extra variables:
See Image
Now, I've assigned the following string as text to
PASSWORD: "ssh-password"
PRIVATE KEY PASSPHRASE: "ssh-passphrase"
When I run my playbook I get back
Thanks for your comments.
Best regards.
When I run my playbook I get back
TASK [Show the content of the SSH Passphrase from AWX] *************************
ok: [man3-rc-voip4200-01] => {
"msg": "ssh-password"
}
ok: [man3-rc-voip4200-02] => {
"msg": "ssh-password"
}
ok: [man3-rc-voip4200-04] => {
"msg": "ssh-password"Thanks for your comments.
Best regards.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/50b947ed-a05b-4b36-9207-10983167c793%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to a topic in the Google Groups "AWX Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/awx-project/ce95ooS2sp0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/dd9ae5bf-6aa7-4a5c-81b9-c8ad5166baa5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
Christopher Meyers
Aug 21, 2018, 1:54:34 PM8/21/18
to AWX Project
* for testing, remove the following line:
passwd: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
* Do not set the password field in your Netscript credential
* We now disallow jinja2 in extra_vars by default so don't have the level of indirection i.e. remove SSH_LOCATION: '{{ lookup(...) }}' and replace usages of SSH_LOCATION with ANSIBLE_NET_SSH_KEYFILE
Daniel Macuare
Aug 24, 2018, 5:28:02 AM8/24/18
to AWX Project
Hi Chris,
The following are the results of my test:
I've modified my Pbook to the following:
The following are the results of my test:
I've modified my Pbook to the following:
---
- name: NET - PULLING CONFIG
hosts: OFFICES
connection: local
gather_facts: false
roles:
- Juniper.junos
tasks:
- name: Show the content of the SSH Passphrase from AWX
debug:
msg: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
- name: Show the content of the ANSIBLE_NET_SSH_KEYFILE
debug:
msg: '{{ lookup("env", "ANSIBLE_NET_SSH_KEYFILE") }}'
- name: Retrieving full config from devices
juniper_junos_config:
host: '{{ inventory_hostname }}'
user: 'test_user'
# ssh_private_key_file: '{{ SSH_LOCATION }}'
ssh_private_key_file: '{{ lookup("env", "ANSIBLE_NET_SSH_KEYFILE") }}'
# passwd: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
port: 830
timeout: 300
format: text
return_output: false
retrieve: committed
dest_dir: 'output/'
tags: Error:
PLAY [NET - PULLING CONFIG] ****************************************************
TASK [Show the content of the SSH Passphrase from AWX] *************************
}
ok: [test_switch] => {
120
"msg": ""
}
...
TASK [Show the content of the ANSIBLE_NET_SSH_KEYFILE] *************************
09:46:17
124
ok: [test_switch] => {
}
ok: [test_switch] => {
"msg": "/tmp/awx_147_2t4q9O/tmpJvuS1U"
}
TASK [Retrieving full config from devices] *************************************
e30=DeyJ1dWlkIjogIjBlZGI0YTc5LTQ4NGMtNGZkZi1iOGVlLTA0ZTQ2ZmRmYmYwYyJ9Dfatal: [test_switch]: FAILED! => {"changed": false, "msg": "Unable to make a PyEZ connection: ConnectAuthError(test_switch)"}
No password is being passed to the juniper_junos_config module. As requested, I've removed my password from the Network Credential which now looks like this:
Additionally, I'm not passing the credentials anymore from the EXTRA vars
Should I expect AWX to decrypt my passphrase and pass it to the module just like I would do by using the -k option with the ansible-playbook command?. I f that's the case I would see something in the first print:
PLAY [NET - PULLING CONFIG] ****************************************************
TASK [Show the content of the SSH Passphrase from AWX] *************************
}
ok: [man4-rc-access3400-05] => {
120
"msg": ""
}
...
Christopher Meyers
Aug 27, 2018, 8:11:52 AM8/27/18
to AWX Project
That looks good. Try running the job with the highest level verbosity.
Note that tower does not expose your ssh decrypt password. The ssh process that ansible spawns may prompt for a password. AWX will look for that prompt string and fill it in with the ssh password.
Pierrick Prost
Apr 2, 2020, 11:44:02 AM4/2/20
to AWX Project
Hi everyone,
someone know how to call SCM credential with the same typo thant "ANSIBLE_XXX" ?
Reply all
Reply to author
Forward
0 new messages