@iyami5 Inventory files can be entirely ansible-vault encrypted or have encrypted vars in otherwise plaintext files. Of course, you need to pass the vault decryption information to ansible someway somehow for it to be consumed. However, you donât want to have that vault password stored in the project itself that the inventory is sourced from.
@dkoci Unfortunately, and this has been part of recent discussions in the AWX community meetings, there are limitations on what and where credentials types can be used. The ansible-vault credential type (as well as custom credential types), for e.g., cannot be used with inventory sources. The only way to work around this is that I am aware of is to add the vault password information to a custom EE, and specify that EE for the inventory source. Then that EE can automatically decrypt the inventory. You donât necessarily want to bake this into your global EE, as that may conflict with using ansible-vault credential types in the places they can actually be used.
Hopefully in the near future, AWX will support using more/all credential types in more/all contexts.
I am a bit confused. Why should I use vault password in case of inventory source? My inventory file and ansible.cfg file are not encrypted with ansible-vault. The only thing which is encrypted is some variable which doesnt have anything to do with ineventory source.
Hi, i tried to do this in my custom ee like this, but did not work out:
Added this in my ansible.cfg:
vault_password_file=/etc/ansible/vid
in the vid file there is the password of the vault, if i run playbook con the custom EE is working decrypting the vault, but if run rhe inventory sync from AWX i am still receiveing this error:
name: debug pippo
debug:
msg: â{{ pippo }}â
[root@b92812c9655d runner]# cat vars.yml
$ANSIBLE_VAULT;1.1;AES256
66633962613736636538393330666436356362653966626537343066323663663262346161633965
3762373631353631396261353330316433646530656430300a363362616263333835626335616162
65613038333331396239313465386362366333636636663463613235626233373666316631323566
3436373838646262620a326463643738646435396662646466333430616236663031366563633163
38343633336632326532643530393364336439346237343861623835306235353239
[root@b92812c9655d runner]# ansible-playbook test.yml
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match âallâ
PLAY [localhost] ***********************************************************************************************************************************************************************************************************************
Hello! I have learned a thing or two since my earlier post, and believe I am mistaken about something I said previously. I cannot edit the post now though.
First, you can use custom cloud credentials with inventory sources. This is important.
Now, as for using ansible vault encryption with inventories, you should not use vault credentials when synchronizing inventories because that fully decrypts them and imports plaintext secrets into AWX/AAPâs inventory. Therefore, vault credentials cannot be used with inventory sources by design for security purposes. The reusability of credential types is still a topic of discussion and likely being addressed in the AWX architecture overhaul, but the vault credential type will still be restricted in any case.
This has the consequence that you cannot synchronize any inventories with vault encrypted files. However, you can still sync vault encrypted variables/strings in otherwise plaintext files.
Lastly, if youâre using a custom dynamic inventory plugin in your project sourced inventory, you can use a custom credential type in AWX/AAP to supply the pluginâs authentication secrets without having to save them inside the project, vault encrypted or otherwise. (The only other thing to worry about is making sure your control EE has the required collection plugins and dependencies to work with your custom dynamic inventory type).
TL;DR
Donât pass vault credentials to inventory sources in any way
Donât encrypt files in inventory sources (encrypted variables/strings are ok)
Use custom credential types for authenticating custom dynamic inventory plugins
Encrypted vars will be decrypted at execution time with vault credential types added to the job templates
@Angelo_Gagliardi The /runner/project/ansible.cfg is an ephemeral file of sorts. When AWX/AAP runs a job, it spins up a new pod/container using ansible-runner to integrate the platform with ansible-core on the EE. The respective AWX/AAP project containing the code for the executing Job Template will be copied to the runner as /runner/project/ and then run ansible-playbook my_job_template_playbook.yml from that directory. If your project contains an ansible.cfg file, then that will take precedence over /etc/ansible/ansible.cfg as you would normally expect.
I just added that line in my ansible.cfg on my source GIT repository and automatically it copies the file on /runner/project/ansible.cfg so now is working !
I know that we should not have inventory crypted as this case, i will suggest to the customer to make changes and migrate this group_vars management on the playbook or role side, so we can manage the vault stuff in the job template.