Get Tower login user from/to Job Template playbook
4,635 views
Skip to first unread message
QZ
Aug 1, 2018, 10:37:34 AM8/1/18
to AWX Project
Hello all,
I need to send email notification from the underneath Job Template playbook to Ansible Tower login user who launches the Job (That is the "LAUNCHED BY" in Tower Job). I am not sure 1) how to retrieve the Anisble Tower login user from playbook, or 2) how to pass the login user info to the playbook from the Job Template. I tried to use {{ lookup('env', "USER") }} in playbook, that returns "awx", and I am not sure Ansible Tower Me REST API endpoint will help here either.
Thanks for help in advance!
Cheers, QZ
Christopher Meyers
Aug 1, 2018, 11:53:15 AM8/1/18
to AWX Project
QZ,
env USER is the UNIX user, not the API user. The AWX REST API endpoints will help here. The job endpoint records the user that created (i.e. launched) the job. Outline of what you'll need to get the created_by user:
1. What is the AWX job id of this running ansible playbook?
2. Callback to the AWX API to get the user that triggered the job
3. Auth while calling back to the API
1. What is the AWX job id of this running ansible playbook?
https://127.0.0.1:3251/api/v2/jobs/2/ <-- But how do you get the job ID ? You already know how!
{{ lookup('env', "JOB_ID" }}2. Callback to the AWX API
Many options:
(1) tower-cli
(2) ansible tower modules
(3) raw URI / curl calls
For ansible-tower modules you'll want tower_job_list https://docs.ansible.com/ansible/2.5/modules/tower_job_list_module.html
Whichever you choose, you will request the job from step (1). The response will contain the username. i.e.:
"summary_fields": { "created_by": { "id": 1, "username": "admin", "first_name": "", "last_name": "" },
3. Auth while calling back to the API
You can use the Ansible Tower credential and supply a username/password. When used on a job template, the environment variables TOWER_USERNAME, TOWER_PASSWORD, and TOWER_HOST are injected. But that shouldn't matter because those env variables are what ansible tower modules and tower-cli expect so the auth should just work.
QZ
Aug 1, 2018, 3:37:47 PM8/1/18
to AWX Project
Wow, that is cool, thank you very much Christopher!
I didn't know 1), but I checked, it works. I will probably use URI module for 2) since I already use URI to schedule tower job from Ansible playbook. I am trying to understand why you called out Auth for 3), and the environment variables. Are you saying I don't need to provide a tower user name and password if I use tower modules or tower-cli? I thought I just need to have a tower account for the REST API.
Thanks again for the advice!
qz
Christopher Meyers
Aug 1, 2018, 5:34:58 PM8/1/18
to AWX Project
The Tower credentials are a convenience. Without them, you could use ansible vault or hard-code them as extra variables. By using Tower Credentials, AWX will encrypt the password and ensure it isn't exposed at API endpoints.
On Wednesday, August 1, 2018 at 10:37:34 AM UTC-4, QZ wrote:
QZ
Aug 1, 2018, 5:53:51 PM8/1/18
to AWX Project
Thanks Christopher! That makes sense. I will try to explore how to use Tower Credentials from playbook, I haven't seen it before. For REST API calls, I get token first by using a user name and password.
BTS Automation
Aug 8, 2018, 1:33:28 AM8/8/18
to QZ, AWX Project
If you are trying to access the tower username in your playbook can't you just use {{ tower_user_name }}?
Along with any extra variables set in the job template and survey, Tower automatically adds the following variables to the job environment:
tower_job_id: The Job ID for this job runtower_job_launch_type: One of manual, callback, or scheduled to indicate how the job was startedtower_job_template_id: The Job Template ID that this job run usestower_job_template_name: The Job Template name that this job usestower_user_id: The user ID of the Tower user that started this job. This is not available for callback or scheduled jobs.tower_user_name: The user name of the Tower user that started this job. This is not available for callback or scheduled jobs.
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/dcdb3c28-dfae-4dd2-9e39-1f5579472370%40googlegroups.com.
aki
Jan 30, 2020, 3:08:29 PM1/30/20
to AWX Project
Hi,
Can you please give an example how can I use tower credentials into my playbook, I have a requirement to do this, and this discussion is the most I could relate too
Thanks
On Wednesday, August 1, 2018 at 5:34:58 PM UTC-4, Christopher Meyers wrote:
Konstantin
Jan 30, 2020, 4:07:51 PM1/30/20
to aki, AWX Project
Hi,
AWX exposes several extra variables for that:
tower_user_email: The user email of the Tower user that started this job. This is not available for callback or scheduled jobs.tower_user_first_name: The user’s first name of the Tower user that started this job. This is not available for callback or scheduled jobs.
tower_user_id: The user ID of the Tower user that started this job. This is not available for callback or scheduled jobs.
tower_user_last_name: The user’s last name of the Tower user that started this job. This is not available for callback or scheduled jobs.
tower_user_name: The user name of the Tower user that started this job. This is not available for callback or scheduled jobs.
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/5d57ebba-1b6d-4edf-bd56-e54fe5a45cd4%40googlegroups.com.
Message has been deleted
Message has been deleted
aki
Jan 30, 2020, 5:21:47 PM1/30/20
to AWX Project
Hi,
Is it possible to user tower login password into the playbook as well?
Konstantin
Jan 31, 2020, 8:07:54 AM1/31/20
to aki, AWX Project
It's not possible. You should use vaults/credentials to store sensitive data.
31 янв. 2020 г., в 01:18, aki <rocknr...@gmail.com> написал(а):
Hi,thanks for reply, anyhow can use the tower login password into playbook?
To unsubscribe from this group and stop receiving emails from it, send an email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/5d57ebba-1b6d-4edf-bd56-e54fe5a45cd4%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/11569db5-ff7d-4084-be28-0d64bae4eb49%40googlegroups.com.
Bianca Henderson
Jan 31, 2020, 9:30:39 AM1/31/20
to AWX Project
Hi aki,
It IS possible to have your username/password in a playbook, but it is NOT recommended.
- Bianca
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/11569db5-ff7d-4084-be28-0d64bae4eb49%40googlegroups.com.
Bianca Henderson
Jan 31, 2020, 2:09:33 PM1/31/20
to AWX Project
Hey again aki, I wanted to expand on my earlier response a bit more.
The hierarchy which Ansible/Tower modules uses to search for login information is as follows [in order of lowest ---> highest on the hierarchy]:
After you do this, the playbook can pull in the env vars via something like the below:
---
The hierarchy which Ansible/Tower modules uses to search for login information is as follows [in order of lowest ---> highest on the hierarchy]:
/etc/tower/tower_cli.cfg
<user_dir>/.tower_cli.cfg
Any tower_cli.cfg file from / to cwd
Any values specified in the config file pointed to in the modules' tower_config parameter
Any values specified in the modules' tower_* parameters (username/password/host/etc)
<user_dir>/.tower_cli.cfg
Any tower_cli.cfg file from / to cwd
Any values specified in the config file pointed to in the modules' tower_config parameter
Any values specified in the modules' tower_* parameters (username/password/host/etc)
You can set env vars for the playbook to use via the UI (see link below for where you can do that):
https://docs.ansible.com/ansible-tower/latest/html/userguide/credentials.html#ansible-tower
https://docs.ansible.com/ansible-tower/latest/html/userguide/credentials.html#ansible-tower
... or via API, by POSTing something like this (with appropriate info inserted, and either 'user', 'team', or 'organization' where "user" is listed in the example below) at the api/v2/credentials/ endpoint:
(Note that "credential_type": 16 makes this a Tower credential)
{
"name": "XYZ",
"description": "for testing",
"organization": null,
"credential_type": 16,
"inputs": {
"host": "[desired host address]",
"password": "[password]",
"username": "[username",
"verify_ssl": false
}
}
(Note that "credential_type": 16 makes this a Tower credential)
After you do this, the playbook can pull in the env vars via something like the below:
---
- name: Test Playbook
hosts: localhost
gather_facts: false
vars:
credential: "XYZ"
Give that a shot and see if you have any luck!
hosts: localhost
gather_facts: false
vars:
credential: "XYZ"
Give that a shot and see if you have any luck!
Reply all
Reply to author
Forward
0 new messages