AWX - Can not sync Inventory from Project Source

Hi.
In AWX, I would like to create an inventory from the project source. When I try to sync, I get an error:

ERROR! Attempting to decrypt but no vault secrets found

The inventory file is not encrypted with Ansible Vault. I have also created credentials for Git and Vault, but I am unable to select them.

AWX operator version: 2.19.0
AWX version: 24.6.0


do you an ansible.cfg that might specify a vault file? usually inventory from a project doesn’t require a credential besides selecting the project.

@iyami5 Inventory files can be entirely ansible-vault encrypted or have encrypted vars in otherwise plaintext files. Of course, you need to pass the vault decryption information to ansible someway somehow for it to be consumed. However, you don’t want to have that vault password stored in the project itself that the inventory is sourced from.

@dkoci Unfortunately, and this has been part of recent discussions in the AWX community meetings, there are limitations on what and where credentials types can be used. The ansible-vault credential type (as well as custom credential types), for e.g., cannot be used with inventory sources. The only way to work around this is that I am aware of is to add the vault password information to a custom EE, and specify that EE for the inventory source. Then that EE can automatically decrypt the inventory. You don’t necessarily want to bake this into your global EE, as that may conflict with using ansible-vault credential types in the places they can actually be used.

Hopefully in the near future, AWX will support using more/all credential types in more/all contexts.

I am a bit confused. Why should I use vault password in case of inventory source? My inventory file and ansible.cfg file are not encrypted with ansible-vault. The only thing which is encrypted is some variable which doesnt have anything to do with ineventory source.

probably why its asking you for credentials. Its loading the var or something similar.

1 Like

Hi, i tried to do this in my custom ee like this, but did not work out:

Added this in my ansible.cfg:
vault_password_file=/etc/ansible/vid

in the vid file there is the password of the vault, if i run playbook con the custom EE is working decrypting the vault, but if run rhe inventory sync from AWX i am still receiveing this error:

[root@b92812c9655d runner]# cat test.yml

  • hosts: localhost
    vars_files: vars.yml
    tasks:
    • name: debug pippo
      debug:
      msg: “{{ pippo }}”
      [root@b92812c9655d runner]# cat vars.yml
      $ANSIBLE_VAULT;1.1;AES256
      66633962613736636538393330666436356362653966626537343066323663663262346161633965
      3762373631353631396261353330316433646530656430300a363362616263333835626335616162
      65613038333331396239313465386362366333636636663463613235626233373666316631323566
      3436373838646262620a326463643738646435396662646466333430616236663031366563633163
      38343633336632326532643530393364336439346237343861623835306235353239
      [root@b92812c9655d runner]# ansible-playbook test.yml
      [WARNING]: No inventory was parsed, only implicit localhost is available
      [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match ‘all’

PLAY [localhost] ***********************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [debug pippo] *********************************************************************************************************************************************************************************************************************
ok: [localhost] => {
“msg”: “dio”
}

PLAY RECAP *****************************************************************************************************************************************************************************************************************************
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Oh i see now that hit using Using /runner/project/ansible.cfg as config file and not /etc/ansible/ansible.cfg so will not work.

But in my custom EE i don’t have any project folder under /runner:

[root@eb72a1da5eda runner]# ls -lhrt /runner/
total 8.0K
-rw-------. 1 root root 419 Aug 29 15:23 vars.yml
-rw-r–r–. 1 root root 120 Aug 29 15:24 test.yml

Hello! I have learned a thing or two since my earlier post, and believe I am mistaken about something I said previously. I cannot edit the post now though.

First, you can use custom cloud credentials with inventory sources. This is important.

Now, as for using ansible vault encryption with inventories, you should not use vault credentials when synchronizing inventories because that fully decrypts them and imports plaintext secrets into AWX/AAP’s inventory. Therefore, vault credentials cannot be used with inventory sources by design for security purposes. The reusability of credential types is still a topic of discussion and likely being addressed in the AWX architecture overhaul, but the vault credential type will still be restricted in any case.

This has the consequence that you cannot synchronize any inventories with vault encrypted files. However, you can still sync vault encrypted variables/strings in otherwise plaintext files.

Lastly, if you’re using a custom dynamic inventory plugin in your project sourced inventory, you can use a custom credential type in AWX/AAP to supply the plugin’s authentication secrets without having to save them inside the project, vault encrypted or otherwise. (The only other thing to worry about is making sure your control EE has the required collection plugins and dependencies to work with your custom dynamic inventory type).


TL;DR

  • Don’t pass vault credentials to inventory sources in any way
  • Don’t encrypt files in inventory sources (encrypted variables/strings are ok)
  • Use custom credential types for authenticating custom dynamic inventory plugins
  • Encrypted vars will be decrypted at execution time with vault credential types added to the job templates

@Angelo_Gagliardi The /runner/project/ansible.cfg is an ephemeral file of sorts. When AWX/AAP runs a job, it spins up a new pod/container using ansible-runner to integrate the platform with ansible-core on the EE. The respective AWX/AAP project containing the code for the executing Job Template will be copied to the runner as /runner/project/ and then run ansible-playbook my_job_template_playbook.yml from that directory. If your project contains an ansible.cfg file, then that will take precedence over /etc/ansible/ansible.cfg as you would normally expect.

Hi @Denney-tech,

Thank you for your feedback !

Finally i solved the issue !

I just added that line in my ansible.cfg on my source GIT repository and automatically it copies the file on /runner/project/ansible.cfg so now is working !

I know that we should not have inventory crypted as this case, i will suggest to the customer to make changes and migrate this group_vars management on the playbook or role side, so we can manage the vault stuff in the job template.

I wish you a wonderful day !

Angelo.

They just need to convert the vars.yml file from an encrypted file to plaintext, and convert the secrets into encrypted strings.

E.g.

---
my_secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          35663766343830663733653337326235386334306334336466383931323631353636323432396332
          3835653933643962396635356636353061313464393461620a633335346664366362653237653063
          62346638623766306238643838383731616133383733616166336133386461666663356532373862
          6165386465663561320a613264336237646230633138636163353066646132333361303639353531
          3938

The vars don’t need to be moved from the inventory into a playbook or role. The inventory just can’t have fully encrypted files.