Set VAULT_TOKEN environment variable in AWX
627 views
Skip to first unread message
Jan Stenvall
Feb 17, 2020, 12:31:05 PM2/17/20
to AWX Project
Hello,
In my playbook I'm using the hashi_vault lookup. According to the specification of the plugin, one way to authenticate against vault is to use the VAULT_TOKEN environment variable (see https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)
As there are no way to modify the environment variables during an ansible play, I wonder how I can set this variable in AWX for a job. You can use a functionality called Survey, but it prompts for this before each run.
Ideally, the VAULT_TOKEN is stored in a file with privileged access only, or stored as a credential in AWX.
How can this be acheived?
Thanks for any input on this subject.
//Jan
Karolis Pocius
Feb 17, 2020, 3:02:58 PM2/17/20
to Jan Stenvall, AWX Project
I haven't tried this myself, but I'd imagine using HashiCorp Vault Secret Lookup credential type and attaching it to the template would expose the token to the job.
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/9b59ec31-6636-48a6-b057-f8541f76e8b6%40googlegroups.com.
Ryan Cummins
Feb 17, 2020, 4:55:16 PM2/17/20
to AWX Project
This will likely require a custom credential type to inject the VAULT_ADDR and VAULT_TOKEN values as environment vars during a job template run. The approach is described in this blog post: https://www.ansible.com/blog/ansible-tower-feature-spotlight-custom-credentials
The newer, built-in HashiCorp Vault Secret Lookup credential type works by being "linked" to another credential type as an input source for specific fields, as described here: https://docs.ansible.com/ansible-tower/3.6.2/html/userguide/credential_plugins.html#configure-and-link-secret-lookups
The newer, built-in HashiCorp Vault Secret Lookup credential type works by being "linked" to another credential type as an input source for specific fields, as described here: https://docs.ansible.com/ansible-tower/3.6.2/html/userguide/credential_plugins.html#configure-and-link-secret-lookups
On Monday, February 17, 2020 at 3:02:58 PM UTC-5, Karolis Pocius wrote:
I haven't tried this myself, but I'd imagine using HashiCorp Vault Secret Lookup credential type and attaching it to the template would expose the token to the job.
On Mon, Feb 17, 2020 at 7:31 PM Jan Stenvall <jan.s...@gmail.com> wrote:
--Hello,In my playbook I'm using the hashi_vault lookup. According to the specification of the plugin, one way to authenticate against vault is to use the VAULT_TOKEN environment variable (see https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)As there are no way to modify the environment variables during an ansible play, I wonder how I can set this variable in AWX for a job. You can use a functionality called Survey, but it prompts for this before each run.Ideally, the VAULT_TOKEN is stored in a file with privileged access only, or stored as a credential in AWX.How can this be acheived?Thanks for any input on this subject.//Jan
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-p...@googlegroups.com.
Jan Stenvall
Feb 19, 2020, 3:11:54 AM2/19/20
to AWX Project
@Ryan
Perfect, the blog post explains how to perform just that. It works like charm. Thanks a lot !
//Jan
Message has been deleted
João Santos
Feb 20, 2020, 6:11:08 AM2/20/20
to Jan Stenvall, AWX Project
Hi, did you added the credential to the job itself?
Edit the job and on the credentials field add the same.
On Thu, 20 Feb 2020 at 10:48, Jan Stenvall <jan.st...@gmail.com> wrote:
I jumped the gun. I'm still getting the error :fatal: [185.19.28.121]: FAILED! => {"msg": "An unhandled exception occurred while templating '{{lookup('hashi_vault', 'secret=kv/***redacted***/***redacted***:id_rsa_debiangit url=' + vault_addr)}}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'hashi_vault'. Error was a <class 'ansible.errors.AnsibleError'>, original message: No Vault Token specified"}I'm running the standalone containerized version of AWX. All the containers run without any issues, the playbook works up until I want to use the hvac lookup.I have followed the blog article you mentioned:* created a custom credential type* created a credential and added it to the organization* added the variable performing the hash_vault lookup in the inventory, the inventory belongs to the above organizationI've set the log level to debug and there are no mention of the VAULT_TOKEN or any extra_vars.How can I troubleshoot this issue?Grateful for any help.//Jan
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/4510ed5d-0623-4549-9431-5dcf861465a9%40googlegroups.com.
Jan Stenvall
Feb 20, 2020, 7:22:26 AM2/20/20
to AWX Project
Thanks, I missed that obvious part of the equation. Thanks it works as intended.
//Jan
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/4510ed5d-0623-4549-9431-5dcf861465a9%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages