Ansible vault best practice with AWX
3,009 views
Skip to first unread message
Ted Underhill
Feb 19, 2021, 11:40:25 AM2/19/21
to AWX Project
Hi
I currently have existing playbooks which use vault files in group_vars (ie. group_vars/dev/vault-all.yml). I've been having problems integrating my existing playbooks into AWX. When adding a source to my inventory via Sourced from a Project/Inventory file, I get an error "The vault password file was not found".
After much googling, I'm not really clear what is the best practice for using vaults within AWX. It seems that my current method isn't supported by AWS 17.0.1. Some suggestions were to encrypt each value separately which would be painful. Found this post in Stackoverflow but its 3 years old.
So my questions:
- Are my current playbooks outside of AWX using best practice for vaults? Should the secrets all be in one encrypted file? Or should they be individually vaulted?
- How do I get past the missing vault password file error in AWX?
One other kind of off topic question: Is there a best practice in separating inventories from playbooks? Each of my playbook repos have their own inventory files with some duplication. In AWX, I was hoping to see a git repo as a source for inventory.
Thanks!
Wei-Yen Tan
Feb 19, 2021, 11:43:24 AM2/19/21
to Ted Underhill, AWX Project
When yoy run a play book in awx you tie that to a job template. In that job template you can attach a 'credential object' which is a vault credential. That vault credential is your vault password. Hth.
Look under the credential resource on the left in awx. You can create a vault credential there
Get Outlook for iOS
From: awx-p...@googlegroups.com <awx-p...@googlegroups.com> on behalf of Ted Underhill <under...@gmail.com>
Sent: Saturday, February 20, 2021 5:40:25 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: [awx-project] Ansible vault best practice with AWX
Sent: Saturday, February 20, 2021 5:40:25 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: [awx-project] Ansible vault best practice with AWX
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/1a0e4fde-bc87-4783-b491-a92d8d156801n%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/1a0e4fde-bc87-4783-b491-a92d8d156801n%40googlegroups.com.
Ted Underhill
Feb 19, 2021, 11:53:55 AM2/19/21
to AWX Project
Thanks for the quick reply.
I tried adding a vault cred to my template and still got the same error. From the way the UI is designed, it looks like Inventories is independent from Templates. When adding an inventory file, there is no reference to the template so the inventories function doesn't know to use it.
Wei-Yen Tan
Feb 19, 2021, 11:56:06 AM2/19/21
to Ted Underhill, AWX Project
Where is the vault file? How are you tieing it in together? You are right It is very different from the command line version of ansible
Get Outlook for iOS
From: awx-p...@googlegroups.com <awx-p...@googlegroups.com> on behalf of Ted Underhill <under...@gmail.com>
Sent: Saturday, February 20, 2021 5:53:55 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: Re: [awx-project] Ansible vault best practice with AWX
To: AWX Project <awx-p...@googlegroups.com>
Subject: Re: [awx-project] Ansible vault best practice with AWX
To view this discussion on the web visit
https://groups.google.com/d/msgid/awx-project/f41100b5-996f-457a-8b7b-90f56b79d355n%40googlegroups.com.
Ted Underhill
Feb 19, 2021, 12:07:32 PM2/19/21
to AWX Project
My playbooks are organized something like this (based on this):
group_vars/
dev/
prod/
inventories/ prod/
hosts
group_vars/
dev/
hosts
playbook.yml
roles\
roleA\
roleB\
Wei-Yen Tan
Feb 19, 2021, 12:14:36 PM2/19/21
to Ted Underhill, AWX Project
Under inventory There is a button called sources. You can pull in your inventory through a project.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/588bb79e-5a9a-476c-b4a4-b42896a9b729n%40googlegroups.com.
Wei-Yen Tan
Feb 19, 2021, 12:22:40 PM2/19/21
to Ted Underhill, AWX Project
I reread what you are doing. I did mine a bit differently. I used redcop-ansible tower configuration files to define my vars and such.
I then used include_vars in my play book to pull them in.
By doing it this way I can then use the job template to include my vault credentials.
Doing it your way means that there is not really a way to include vaulted credentials UNLESS its included in the include vars in the playbook and has some kind of way to pull in from the credential part in the job template...if that makes sense, happy to explain further....
Ted Underhill
Feb 19, 2021, 1:44:33 PM2/19/21
to AWX Project
I am pulling in the inventory file through a project. The missing vault file error happens when that inventory file is synced.
Think I understand how you are doing it. That method is described in the Stackoverflow question
Ted Underhill
Feb 19, 2021, 4:30:58 PM2/19/21
to AWX Project
For anyone who may run into this in the future, I followed this suggestion and it works.
Reply all
Reply to author
Forward
0 new messages