Home > Software design >  How to refer to AWX credentials in my ansible playbook
How to refer to AWX credentials in my ansible playbook

Time:03-23

I'm new to ansible . I'm trying to use an existing playbook but deploy it to a different Azure account with seperate credentials but I'm running into some issues. I created a new credential via the AWX portal with my client_id, tenant_id, subscription_id and secret but I cant figure out how to get my playbook to pull this credential instead of the one its currently using.

My playbook authentication role authenticates like so

- name: 'Authenticating against Azure'
  command: >
    az login --service-principal
    -u '{{ vault_azure_client_id }}'
    -p '{{ vault_azure_client_secret }}'
    -t '{{ vault_azure_tenant_id }}' 

there is then a secrets folder with a vault file containing what looks like an encrypted string and starting with the below

$ANSIBLE_VAULT;1.1

My main file declares the variable like below

  # Environment Variables
  environment:
    AZURE_CLIENT_ID: '{{ vault_azure_client_id }}'
    AZURE_SECRET: '{{ vault_azure_client_secret }}'
    AZURE_TENANT: '{{ vault_azure_tenant_id }}'

How do i edit the main file and role to point at my creds created through the console instead of the ones stored in ansible vault?

CodePudding user response:

This is because by default your playbook file taking credential from vault file. Point to your main file to take credential rather than default file (Vault file).

Variables can come from different sources, such as the playbook file itself or external variable files that are imported in the playbook. Special precedence rules will apply when working with multiple variable sources that define a variable with the same name.

Suggestion 1 : If you are using variable in playbook file itself you pass use the variable like this.

vars:  
- AZURE_CLIENT_ID: Client ID  
- AZURE_SECRET: Client Secret Value
- AZURE_TENANT: Tenant ID  
tasks:  
- name: 'Authenticating against Azure'  
command: >  
az login --service-principal  
-u '{{ AZURE_CLIENT_ID}}'  
-p '{{ AZURE_SECRET }}'  
-t '{{ AZURE_TENANT}}'

Reference : https://www.digitalocean.com/community/tutorials/how-to-use-variables-in-ansible-playbooks

Suggestion 2 : You can also pass the extra variables to an Ansible playbook using

--extra-vars or -e option while running the Ansible playbook, as seen below.
#ansible-playbook myplaybook.yaml --extra-vars "nodes=webgroup”

You can refer this Document to pass the variable from outside.

CodePudding user response:

Assuming your unencrypted "vault file" in your "secrets folder" looks like this:

vault_azure_client_id: foo
vault_azure_client_secret: bar
vault_azure_tenant_id : baz

You have two options:

  • Stop using this file and configure these variables in AWX. You don't define these variables as credentials in AWX, you need to define them in the job template that calls the playbook.
  • Rewrite your "vault file" putting your secret variables inline. E.g:
vault_azure_client_id: !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          30613...
vault_azure_client_secret: !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          30613...
vault_azure_tenant_id : !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          30613...

AWX has the limitation of not being able to decrypt variables in an encrypted file, but it could decrypt variables encrypted inline.

  • Related