I’m new around here, please forgive me before hand if I’m bringing a stupid question!
I’ve been trying to configure the AWX with HashiCorp Vault Signed SSH, without much success. I was following this old doc:
I created the machine and the ‘HashiCorp Vault Signed SSH’ exactly as described there, but instead of using the ‘token’ I replaced it with an role_id and secret_id. Then I mapped this machine credential to a job template which I created but when I run the job I always get ‘Invalid credentials’, while at the target machine, I see only a request for a password authentication. It’s as if the AWX is completely ignoring the ‘HashiCorp Vault Signed SSH’. Inspecting the Connecting debug, I see no particular reason to what’s happening. I tried the manual process of sshing with the pub signed by vault into the target machine and I was able to accomplish that with no problem. Did the same test within a pod of AWX-EE.
Like I said, I’m completely new into AWX and I’m discovering it’s potential, but I’m getting somewhat frustrated with the documentation which is not very clear at times.
As anyone been able to accomplish this setup which can share with me some details on how I can accomplish the same?
I’m not using the ‘hashi_vault’ module, since I’m leaving the certificate signing and vault authentication to AWX - I’m expecting that the AWX is able to do that without any particular modification at my ansible playbooks. The idea, it’s for the AWX authenticate on the Hashicorp Vault with an approle, then sign an unsigned ssh-key and use that signed ssh-key to ssh into the target machines which have been configured to allow ssh-keys signed by the SSH CA vault.
Also, the other documentation on ‘credential_plugins’, as you can see, it’s not particularly well documented, not even consider other scenarios aside of token, neither how you can then use the external credential plugin. I ended up using the doc I shared, because to be fair, was the very best I found and which made sense to me (logically and practically).
Unfortunately, this documentation doesn’t help at all.