I’ve successfully configured a HashiCorp Vault Secret Lookup Credentials within AWX.
I simply provide my vault url, secret_id and role_id, CA cert and select API v2.
Within the credentials settings, I’m able to successfully test to retrieve a secret/key from this credential as you can see here
However, it’s not possible to use this credentials when I create a new Job template as you can see below, there’s no Hashicorp Vault credentials available.
Is there a limit or a bug of AWX ? or does the Hashicorp Credentials are only valid from an AWX instance perspective ? (and though, not to be used within a project)
Also, my Ansible project are coded to retrieve ansible_hashi_vault_token and then, the playbook can ask Vault different keys based on different secrets (all within kv/ )
Hi, that’s nice to heard ! do you know if there’s a pull request about ?
My awx-operator version is : 2.9.0
My AWX instance version is : AWX 23.5.1
Basically I found a “dirty” workaround, setup HC Vault url + token as a variable to every project (so token is not encrypted), it makes my project works but it’s not secure at all.
From a YAML perspective, all my projects vars embbed :
vars:
#Those 2 vars will lookup for ENV variables we setup through AWX
approle_id: "{{ lookup('env','VAULT_ROLE_ID') }}"
approle_secret_id: "{{ lookup('env','VAULT_SECRET_ID') }}"
# This one "mount" the connection with my Vault with dedicated AppRole
my_secret_vault: "{{ lookup('community.hashi_vault.vault_kv2_get', 'my_secret', engine_mount_point='kv/', auth_method='approle', role_id=approle_id, secret_id=approle_secret_id) }}"
# This one retrieve the key's data based on my query
my_key: "{{ my_secret_vault.secret.my_key_id }}"
So now you just need to fill the correct Vault URL + roleID + secret ID from your AWX GUI and here you go
PS : no matter if you’re using AppRole or simply token, the method works the same, you just need to adapt your injector Configuration.
