AWX credentials vs credentials type


I’ve successfully configured a HashiCorp Vault Secret Lookup Credentials within AWX.
I simply provide my vault url, secret_id and role_id, CA cert and select API v2.

Within the credentials settings, I’m able to successfully test to retrieve a secret/key from this credential as you can see here

However, it’s not possible to use this credentials when I create a new Job template as you can see below, there’s no Hashicorp Vault credentials available.

Is there a limit or a bug of AWX ? or does the Hashicorp Credentials are only valid from an AWX instance perspective ? (and though, not to be used within a project)

Also, my Ansible project are coded to retrieve ansible_hashi_vault_token and then, the playbook can ask Vault different keys based on different secrets (all within kv/ )

Thanks a lot

What version of AWX you are using?
This feature seems to be added.

Warm Regards,
Alice Golakiya

Hi, that’s nice to heard ! do you know if there’s a pull request about ?

My awx-operator version is : 2.9.0
My AWX instance version is : AWX 23.5.1

Basically I found a “dirty” workaround, setup HC Vault url + token as a variable to every project (so token is not encrypted), it makes my project works but it’s not secure at all.

Finally succeed to setup what I need according to this blog.

I already use AppRole so the thing was just to “inject” custom credential (vault URL + roleID/secretID) from AWX to my running project.

  • From an AWX perspective, I simply created new credential type as mentionned here again.
    INPUT Configuration
  - id: vault_server
    type: string
    label: URL for Vault Server
  - id: vault_role_id
    type: string
    label: Vault AppRole ID
  - id: vault_secret_id
    type: string
    label: Vault Secret ID
    secret: true
  - vault_server

Injector Configuration

  VAULT_ADDR: '{{ vault_server }}'
  VAULT_ROLE_ID: '{{ vault_role_id }}'
  VAULT_SECRET_ID: '{{ vault_secret_id }}'
  • From a YAML perspective, all my projects vars embbed :
  #Those 2 vars will lookup for ENV variables we setup through AWX
    approle_id: "{{ lookup('env','VAULT_ROLE_ID') }}"
    approle_secret_id: "{{ lookup('env','VAULT_SECRET_ID') }}"

  # This one "mount" the connection with my Vault with dedicated AppRole
    my_secret_vault: "{{ lookup('community.hashi_vault.vault_kv2_get', 'my_secret', engine_mount_point='kv/', auth_method='approle', role_id=approle_id, secret_id=approle_secret_id) }}"

  # This one retrieve the key's data based on my query
    my_key: "{{ my_secret_vault.secret.my_key_id }}"

So now you just need to fill the correct Vault URL + roleID + secret ID from your AWX GUI and here you go :slight_smile:

PS : no matter if you’re using AppRole or simply token, the method works the same, you just need to adapt your injector Configuration.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.