Hi All,
Thank you for taking a look at my post.
I’m trying to figure out if there is a better way to have Ansible authenticate with Azure when running playbooks. Right now, I’ve got a service principle set in my .azure/credentials section which works fine, but introduces security concerns. The alternative is using Azure AD, but that seems to need your password in clear text.
The only solution I can think of is to write a bash script which will create a short lived RBAC Service Principle and export the values to my enviromental variables, run the play-book then get rid of it all.
Please somebody tell me there is a magicial way which will work with my az login?
Thanks,
Steve
Hi All,
As an update, I’ve figured out that Ansible does indeed work with just az login, the thing that doesn’t is the azure_rm.py script we use for dynamic inventory.
Does anybody have a solution for this?
Steve
Another update from me. I’ve managed to find out that there is a plugin called Azure Resource Manager inventory plugin.
I’ve created the simple yaml file and now just seeing if I can get it to work. If anybody knows how I can use it to grab VMs from Azure based on tags, I’d love to hear it.
Steve
Hi Steve,
Not sure if this is what you are asking, but if you just need to find
VMs in Azure by tag, you can do so using az cli like:
$ az resource list --tag KEY=VALUE --query .name
I find the API returns resources much faster when using tags.
Thanks for the reply Michael.
Basically what I am after is to stop using service principles for Ansible. I’ve recently learnt that you can use Azure CLi to authenticate, but our dynamic inventory python script uses service principles (the azurerm.py script).
I’ve also seen that Ansible have released an Azure Resource Manager inventory plugin. Does that replace the azurerm.py dynamic inventory script? If so, how do I configure it to apply playbooks to VMs based on tags?
Thanks!
Steve,
Gotcha. Ok, here’s the deal. I gave up long ago trying to use Ansible with Azure even though I love Ansible and try to automate as much as I can with it. We use terraform now for creating Azure infrastructure, then Ansible for IaaS-based operations and configuration management. It seems like you try to run Ansible for Azure infrastructure and you get an error telling you what module(s) you need to install, then I install them and it either still doesn’t work, or still tells me I don’t have modules which I know I just installed. So basically I just use my az login, then I have a python script that uses az cli to grab the host names from Azure and puts them into a simple ini-type ansible hosts file in groups like you would expect to see a normal ansible hosts file, eg:
[db]
dbhost1
dbhost2
[app]
apphost1
apphost2
etc.
I’ve even tried using the Azure Cloud Shell which supposedly has ansible and all the requisite modules installed (since you can’t install any yourself anyway) and it still doesn’t seem to work. And besides, then you are running all of your Ansible automation in the stupid azure console which is not good for a pipeline or logging or team use or any kind of good devops workflow.