AWX + HashiCorp Vault Signed SSH

pirolas · October 18, 2024, 2:47am

Hello everyone!

I’m new around here, please forgive me before hand if I’m bringing a stupid question!

I’ve been trying to configure the AWX with HashiCorp Vault Signed SSH, without much success. I was following this old doc:

github.com

ansible/awx/blob/devel/docs/credentials/credential_plugins.md

Credential Plugins
==================

By default, sensitive credential values (such as SSH passwords, SSH private
keys, API tokens for cloud services, etc.) in AWX are stored in the AWX database
after being encrypted with a symmetric encryption cipher utilizing AES-256 in
CBC mode alongside a SHA-256 HMAC.

Alternatively, AWX supports retrieving secret values from third-party secret
management systems, such as HashiCorp Vault and Microsoft Azure Key Vault.
These external secret values will be fetched on demand every time they are
needed (generally speaking, immediately before running a playbook that needs
them).

Configuring Secret Lookups
--------------------------

When configuring AWX to pull a secret from a third party system, there are
generally three steps.

This file has been truncated. show original

I created the machine and the ‘HashiCorp Vault Signed SSH’ exactly as described there, but instead of using the ‘token’ I replaced it with an role_id and secret_id. Then I mapped this machine credential to a job template which I created but when I run the job I always get ‘Invalid credentials’, while at the target machine, I see only a request for a password authentication. It’s as if the AWX is completely ignoring the ‘HashiCorp Vault Signed SSH’. Inspecting the Connecting debug, I see no particular reason to what’s happening. I tried the manual process of sshing with the pub signed by vault into the target machine and I was able to accomplish that with no problem. Did the same test within a pod of AWX-EE.

Like I said, I’m completely new into AWX and I’m discovering it’s potential, but I’m getting somewhat frustrated with the documentation which is not very clear at times.

As anyone been able to accomplish this setup which can share with me some details on how I can accomplish the same?

Thank you all.

alainseys · October 18, 2024, 7:52am

@pirolas welcome,

Have tried the follwoing resources ?
Should be a more maintaned document base than the github.

https://docs.ansible.com/ansible-tower/3.5.0/html/administration/credential_plugins.html

https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/index.html

pirolas · October 18, 2024, 10:30am

Thank you for that @alainseys

I’m not using the ‘hashi_vault’ module, since I’m leaving the certificate signing and vault authentication to AWX - I’m expecting that the AWX is able to do that without any particular modification at my ansible playbooks. The idea, it’s for the AWX authenticate on the Hashicorp Vault with an approle, then sign an unsigned ssh-key and use that signed ssh-key to ssh into the target machines which have been configured to allow ssh-keys signed by the SSH CA vault.

Also, the other documentation on ‘credential_plugins’, as you can see, it’s not particularly well documented, not even consider other scenarios aside of token, neither how you can then use the external credential plugin. I ended up using the doc I shared, because to be fair, was the very best I found and which made sense to me (logically and practically).

Unfortunately, this documentation doesn’t help at all.