Using Ansible Vault to access host variables with Rundeck

[Julian Brown Jr.]

Hi there,

I was storing my host variables inside my inventory file but now I am storing the sensitive values inside ansible-vault and using templates to access them. I have successfully run playbooks from the Ansible command line before with my sensitive data encrypted within the vault. Now when I try to connect to the hosts using Rundeck it doesn't work because the values for the username and password are not what it was expecting (see code error below).

Error Message

FAILED! => {"msg": "The field 'remote_user' has an invalid value, which includes an undefined variable. The error was: 'vault_ansible_user' is undefined. 'vault_ansible_ user  ' is undefined. 'vault_ansible_ user  ' is undefined. 'vault_ansible_ user ' is undefined"}

Host variable present in inventory

[itg_hosts:vars]
ansible_user= "{{ vault_ansible_ user  }}"
ansible_password= "{{ vault_ansible_password }}"
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=ntlm
ansible_winrm_scheme=https
ansible_winrm_port=5986
ansible_winrm_message_encryption=always

Playbook

- name: Ping Windows Hosts
  hosts: myhosts
  vars_files:
    - /home/user/.ansible/group_vars/vault.yml
    - /home/user/.ansible/group_vars/vars
  tasks:
    - name: Test if hosts are reachable
      win_ping:

How can I get Rundeck to access my encrypted vault file so it can use the host variables to establish a connection?

I am using ansible-core version 2.16.7 and rundeck version 5.1.0-20240214

Thanks,

Julian

[rac...@rundeck.com]

Hi,

Could you try the latest Rundeck version (5.4 at this moment), the ansible plugin includes related fixes. Take a look.

Regards.

[Julian Brown Jr.]

Ok, I will try upgrading to the latest version.

[Julian Brown Jr.]

I have updated to the latest version of Rundeck but I am still getting the same error as before: 

Error Message

FAILED! => {"msg": "The field 'remote_user' has an invalid value, which includes an undefined variable. The error was: 'vault_ansible_user' is undefined. 'vault_ansible_ user  ' is undefined. 'vault_ansible_ user  ' is undefined. 'vault_ansible_ user ' is undefined"}

The issue in my sample inventory below is with the two variables I have listed. These are supposed to be placeholders for the actual username and password which are stored in my vault but when Rundeck sees these templates the connection to the node just fails if I replace them with the actual values as expected the connection is successful. So can I use templates to access these host variables from my vault or do I have to leave them in plain text so Rundeck can connect to the nodes?

[itg_hosts:vars]
ansible_user= "{{ vault_ansible_ user  }}"
ansible_password= "{{ vault_ansible_password }}"

[rac...@rundeck.com]

Hi!

I get it. Interesting.

Let me share my config/steps to discard any environment issue (with some questions).

1- In my Ansible project space I created a directory called vars and a YAML vault file called main.yml with the following content.

USER_NAME: 'vagrant'

2- I encrypted the file with:

ansble-vault encrypt main.yml

3- Now, to test this conf, I ran a basic playbook called ping_vault.yml (did you test your Ansible config directly?):

- hosts: all vars_files: - /home/user/Deployments/Ansible/config/vars/main.yml tasks: - name: Ping ping: ansible-playbook ping_vault.yml --ask-vault-pass

All good so far:

PLAY [all] ********************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************** ok: [192.168.56.21] ok: [192.168.56.22] ok: [192.168.56.20] TASK [Ping] ********************************************************************************************************* ok: [192.168.56.20] ok: [192.168.56.21] ok: [192.168.56.22] PLAY RECAP ********************************************************************************************************** 192.168.56.20 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 192.168.56.21 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 192.168.56.22 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Now this is my ansible.cfg file content:

[defaults] ; this is a .ini standard static inventory inventory=/home/user/Deployments/Ansible/config/hosts ; no cows, please nocows=1

My inventory file: (the host file):

[the_farm] 192.168.56.20 192.168.56.21 192.168.56.22 [the_farm:vars] use_extra_vars=true ansible_user= {{ USER_NAME }}

4- Now, in Rundeck I created a new Ansible project following this.

This is my model source config (I added the vault file path/password).

5- I created a Job as follows (contains the same playbook as an inline playbook step). Is your job created with the Ansible vault file path/password?

- defaultTab: nodes description: '' executionEnabled: true id: c2c64069-2ac8-4857-b872-87e3191539ce loglevel: INFO name: VaultTest nodeFilterEditable: false nodefilters: dispatch: excludePrecedence: true keepgoing: false rankOrder: ascending successOnEmptyNodeFilter: false threadcount: '1' filter: 192.* nodesSelectedByDefault: true plugins: ExecutionLifecycle: {} scheduleEnabled: true sequence: commands: - configuration: ansible-base-dir-path: /home/user/Deployments/Ansible/config/ ansible-become: 'false' ansible-binaries-dir-path: /home/user/.local/bin/ ansible-encrypt-extra-vars: 'false' ansible-playbook-inline: |- - hosts: all vars_files: - /home/user/Deployments/Ansible/config/vars/main.yml tasks: - name: Ping ping: ansible-ssh-passphrase-option: option.password ansible-ssh-use-agent: 'false' ansible-vault-storage-path: keys/vaultpasswd nodeStep: true type: com.batix.rundeck.plugins.AnsiblePlaybookInlineWorkflowNodeStep keepgoing: false strategy: node-first uuid: c2c64069-2ac8-4857-b872-87e3191539ce

That job works well.

Rundeck 5.4.0 / Ansible [ core 2.13.5] (Could you test with this specific version?).

Regards!

​

[Julian Brown Jr.]

There are a couple of things I forgot to mention sorry about that. I am using Rundeck 5.4.0 war and my Ansible nodes are Windows hosts regardless I followed your steps and everything worked fine up until the point where I changed the vars in my inventory file to use the template then Rundeck lost connection to the node. As you know if the node is not appearing on the node page then you can't run a playbook on it. 

this is from the Ansible command line to show it is working here:

$ ansible-playbook win_ping.yml --ask-vault-pass
Vault password:

PLAY [Ping Windows Hosts] *****************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************
ok: [guestpc2]

TASK [Test if hosts are reachable] ********************************************************************************************
ok: [guestpc2]

PLAY RECAP ********************************************************************************************************************
guestpc2  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[rac...@rundeck.com]

Hi,

Is your Ansible model source configured with the "Gather Facts" option? If so, try to disable it and check the nodes page again.

Regards.

[Julian Brown Jr.]

Ok wow. I changed the "Gather Facts" and it seems to work now thank you for that! One other thing I wanted to ask about that came up yesterday involves the command tab. Whenever I try to run commands through that tab I get this error:

Failed: AnsibleError: ERROR: Ansible IO failure: Cannot run program "/home/user/rundeck/ /home/user/.local/bin/ansible" (in directory "/tmp/ansible-rundeck14342872452659697724"): error=2, No such file or directory
Execution failed: 65 in project rundeck_WAR_test: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [guestpc2: AnsibleError: ERROR: Ansible IO failure: Cannot run program "/home/user/rundeck/ /home/user/.local/bin/ansible" (in directory "/tmp/ansible-rundeck14342872452659697724"): error=2, No such file or directory + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {guestpc2=[AnsibleError: ERROR: Ansible IO failure: Cannot run program "/home/user/rundeck/ /home/user/.local/bin/ansible" (in directory "/tmp/ansible-rundeck14342872452659697724"): error=2, No such file or directory + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]

I am quite positive the error lies with the path that you can see in the first line. It essentially has two paths in one and I'm not sure where to look to find this in the config files to change it. Here is my Node Config on Rundeck for reference:

Ansible binaries directory path: /home/user/.local/bin

ansible inventory File path: /home/user/.ansible/playbooks/inventory.ini

Ansible config file path: /home/user/.ansible/ansible.cfg

Gather Facts: No

Ignore Host Discovery Errors: Yes

Import host vars: Yes

Everything else unchanged

Reminder I am using Rundeck 5.4.0 war and Ansible version 2.16.7.

[rac...@rundeck.com]

Hi,

Great! Regarding this:

Failed: AnsibleError: ERROR: Ansible IO failure: Cannot run program "/home/user/rundeck/ /home/user/.local/bin/ansible" (in directory "/tmp/ansible-rundeck14342872452659697724"): error=2, No such file or directory
Execution failed: 65 in project rundeck_WAR_test: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [guestpc2: AnsibleError: ERROR: Ansible IO failure: Cannot run program "/home/user/rundeck/ /home/user/.local/bin/ansible" (in directory "/tmp/ansible-rundeck14342872452659697724"): error=2, No such file or directory + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {guestpc2=[AnsibleError: ERROR: Ansible IO failure: Cannot run program "/home/user/rundeck/ /home/user/.local/bin/ansible" (in directory "/tmp/ansible-rundeck14342872452659697724"): error=2, No such file or directory + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]

Check your Ansible paths defined at node executor/file copier (go to project settings  > edit configuration > Default Node Executor / Default File Copier). Take a look at this.

Make sure to define the right path of your ansible binaries/config file.

Regards!

[Julian Brown Jr.]

Went through the link you sent and double-checked my config and binaries paths they look correct. Just to be sure I removed everything under the "Default Node Executor" and "Default File Copier" tabs and re-entered them. The error that occurred before is now gone and look at what error I am getting now:

guestpc2 | FAILED | rc=-1 >>

The field 'remote_user' has an invalid value, which includes an undefined variable. The error was: 'vault_ansible_user' is undefined. 'vault_ansible_user' is undefined. 'vault_ansible_user' is undefined. 'vault_ansible_user' is undefined

Failed: AnsibleError: ERROR: Ansible execution returned with non zero code.
Execution failed: 85 in project rundeck_WAR_test: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [guestpc2: AnsibleError: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {guestpc2=[AnsibleError: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]

It is the same error that was occurring before but now for the commands which is odd because it works directly from the command line on the ansible server when I tested it. Is it possible that what you mentioned earlier about this potentially being an environment issue is true?

[rac...@rundeck.com]

This is my config, please take a look.

Greetings!