Hi
I currently have existing playbooks which use vault files in group_vars (ie. group_vars/dev/vault-all.yml). I’ve been having problems integrating my existing playbooks into AWX. When adding a source to my inventory via Sourced from a Project/Inventory file, I get an error “The vault password file was not found”.
After much googling, I’m not really clear what is the best practice for using vaults within AWX. It seems that my current method isn’t supported by AWS 17.0.1. Some suggestions were to encrypt each value separately which would be painful. Found this post in Stackoverflow but its 3 years old.
So my questions:
- Are my current playbooks outside of AWX using best practice for vaults? Should the secrets all be in one encrypted file? Or should they be individually vaulted?
- How do I get past the missing vault password file error in AWX?
One other kind of off topic question: Is there a best practice in separating inventories from playbooks? Each of my playbook repos have their own inventory files with some duplication. In AWX, I was hoping to see a git repo as a source for inventory.
Thanks!
When yoy run a play book in awx you tie that to a job template. In that job template you can attach a ‘credential object’ which is a vault credential. That vault credential is your vault password. Hth.
Look under the credential resource on the left in awx. You can create a vault credential there
Thanks for the quick reply.
I tried adding a vault cred to my template and still got the same error. From the way the UI is designed, it looks like Inventories is independent from Templates. When adding an inventory file, there is no reference to the template so the inventories function doesn’t know to use it.
Where is the vault file? How are you tieing it in together? You are right It is very different from the command line version of ansible
My playbooks are organized something like this (based on this):
group_vars/
dev/
prod/
inventories/
prod/
hosts
group_vars/
dev/
hosts
playbook.yml
roles
roleA
roleB\
Under inventory There is a button called sources. You can pull in your inventory through a project.
I reread what you are doing. I did mine a bit differently. I used redcop-ansible tower configuration files to define my vars and such.
I then used include_vars in my play book to pull them in.
By doing it this way I can then use the job template to include my vault credentials.
Doing it your way means that there is not really a way to include vaulted credentials UNLESS its included in the include vars in the playbook and has some kind of way to pull in from the credential part in the job template…if that makes sense, happy to explain further…
I am pulling in the inventory file through a project. The missing vault file error happens when that inventory file is synced.
Think I understand how you are doing it. That method is described in the Stackoverflow question
For anyone who may run into this in the future, I followed this suggestion and it works.