Hi.
In AWX, I would like to create an inventory from the project source. When I try to sync, I get an error:
ERROR! Attempting to decrypt but no vault secrets found
The inventory file is not encrypted with Ansible Vault. I have also created credentials for Git and Vault, but I am unable to select them.
AWX operator version: 2.19.0
AWX version: 24.6.0
do you an ansible.cfg that might specify a vault file? usually inventory from a project doesnât require a credential besides selecting the project.
@iyami5 Inventory files can be entirely ansible-vault encrypted or have encrypted vars in otherwise plaintext files. Of course, you need to pass the vault decryption information to ansible someway somehow for it to be consumed. However, you donât want to have that vault password stored in the project itself that the inventory is sourced from.
@dkoci Unfortunately, and this has been part of recent discussions in the AWX community meetings, there are limitations on what and where credentials types can be used. The ansible-vault credential type (as well as custom credential types), for e.g., cannot be used with inventory sources. The only way to work around this is that I am aware of is to add the vault password information to a custom EE, and specify that EE for the inventory source. Then that EE can automatically decrypt the inventory. You donât necessarily want to bake this into your global EE, as that may conflict with using ansible-vault credential types in the places they can actually be used.
Hopefully in the near future, AWX will support using more/all credential types in more/all contexts.
I am a bit confused. Why should I use vault password in case of inventory source? My inventory file and ansible.cfg file are not encrypted with ansible-vault. The only thing which is encrypted is some variable which doesnt have anything to do with ineventory source.
probably why its asking you for credentials. Its loading the var or something similar.
Hi, i tried to do this in my custom ee like this, but did not work out:
Added this in my ansible.cfg:
vault_password_file=/etc/ansible/vid
in the vid file there is the password of the vault, if i run playbook con the custom EE is working decrypting the vault, but if run rhe inventory sync from AWX i am still receiveing this error:
[root@b92812c9655d runner]# cat test.yml
- hosts: localhost
vars_files: vars.yml
tasks:
- name: debug pippo
debug:
msg: â{{ pippo }}â
[root@b92812c9655d runner]# cat vars.yml
$ANSIBLE_VAULT;1.1;AES256
66633962613736636538393330666436356362653966626537343066323663663262346161633965
3762373631353631396261353330316433646530656430300a363362616263333835626335616162
65613038333331396239313465386362366333636636663463613235626233373666316631323566
3436373838646262620a326463643738646435396662646466333430616236663031366563633163
38343633336632326532643530393364336439346237343861623835306235353239
[root@b92812c9655d runner]# ansible-playbook test.yml
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match âallâPLAY [localhost] ***********************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************************************************************************************************
ok: [localhost]TASK [debug pippo] *********************************************************************************************************************************************************************************************************************
ok: [localhost] => {
âmsgâ: âdioâ
}PLAY RECAP *****************************************************************************************************************************************************************************************************************************
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Oh i see now that hit using Using /runner/project/ansible.cfg as config file and not /etc/ansible/ansible.cfg so will not work.
But in my custom EE i donât have any project folder under /runner:
[root@eb72a1da5eda runner]# ls -lhrt /runner/
total 8.0K
-rw-------. 1 root root 419 Aug 29 15:23 vars.yml
-rw-rârâ. 1 root root 120 Aug 29 15:24 test.yml
Hello! I have learned a thing or two since my earlier post, and believe I am mistaken about something I said previously. I cannot edit the post now though.
First, you can use custom cloud credentials with inventory sources. This is important.
Now, as for using ansible vault encryption with inventories, you should not use vault credentials when synchronizing inventories because that fully decrypts them and imports plaintext secrets into AWX/AAPâs inventory. Therefore, vault credentials cannot be used with inventory sources by design for security purposes. The reusability of credential types is still a topic of discussion and likely being addressed in the AWX architecture overhaul, but the vault credential type will still be restricted in any case.
This has the consequence that you cannot synchronize any inventories with vault encrypted files. However, you can still sync vault encrypted variables/strings in otherwise plaintext files.
Lastly, if youâre using a custom dynamic inventory plugin in your project sourced inventory, you can use a custom credential type in AWX/AAP to supply the pluginâs authentication secrets without having to save them inside the project, vault encrypted or otherwise. (The only other thing to worry about is making sure your control EE has the required collection plugins and dependencies to work with your custom dynamic inventory type).
TL;DR
@Angelo_Gagliardi The /runner/project/ansible.cfg is an ephemeral file of sorts. When AWX/AAP runs a job, it spins up a new pod/container using ansible-runner to integrate the platform with ansible-core on the EE. The respective AWX/AAP project containing the code for the executing Job Template will be copied to the runner as /runner/project/ and then run ansible-playbook my_job_template_playbook.yml from that directory. If your project contains an ansible.cfg file, then that will take precedence over /etc/ansible/ansible.cfg as you would normally expect.
Hi @Denney-tech,
Thank you for your feedback !
Finally i solved the issue !
I just added that line in my ansible.cfg on my source GIT repository and automatically it copies the file on /runner/project/ansible.cfg so now is working !
I know that we should not have inventory crypted as this case, i will suggest to the customer to make changes and migrate this group_vars management on the playbook or role side, so we can manage the vault stuff in the job template.
I wish you a wonderful day !
Angelo.
They just need to convert the vars.yml file from an encrypted file to plaintext, and convert the secrets into encrypted strings.
E.g.
---
my_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
35663766343830663733653337326235386334306334336466383931323631353636323432396332
3835653933643962396635356636353061313464393461620a633335346664366362653237653063
62346638623766306238643838383731616133383733616166336133386461666663356532373862
6165386465663561320a613264336237646230633138636163353066646132333361303639353531
3938
The vars donât need to be moved from the inventory into a playbook or role. The inventory just canât have fully encrypted files.