I’m working on moving from ansible-vault secrets in our playbooks to using Azure Key Vault to store them. I’ve replaced the vaulted entries with lookup('azure.azcollection.azure_keyvault_secret' type lines.
This is working great at the CLI after using az login and then I can get all required secrets with no other changes to playbooks.
I went into AWX 23.x expecting to just set a credential for Microsoft Azure Key Vault and it would use the same info to do the lookups, but that didn’t work as I expected.
I finally found a good blog entry that walked me through it
www.oss-group.co.nz/blog/microsoft-azure-key-vault-with-hashicorp-terraform-and-red-hat-ansible
I noticed they were doing an environment variable lookup to set ansible playbook vars that were then used with the lookup filter to retrieve the secret which seemed to add a lot of extra steps and complexity compared to the ansible-playbook CLI where it just used my az login credentials.
When I tried using the credential type “Microsoft Azure Resource Manager” I was getting an error that the Environment Variables were not configured correctly and a link to this page:
azure-sdk-for-python/sdk/identity/azure-identity/TROUBLESHOOTING.md at main · Azure/azure-sdk-for-python (github.com)
Since I’m using a Service Principal, I would expect to need to set AZURE_CLIENT_ID , AZURE_TENANT_ID and AZURE_CLIENT_SECRET
When I looked at the documentation for the Resource Manager credential, I found:
https://docs.ansible.com/automation-controller/4.2.1/html/userguide/credentials.html#microsoft-azure-resource-manager
which lists ‘AZURE_CLIENT_ID’, ‘AZURE_SECRET’, and ‘AZURE_TENANT’
So close to what the lookup module is needing set, but not an exact match.
If I were to add a vars section to all of my playbooks to try to take the env vars set by the Credential type and create the env vars that the lookup is expecting, I would have to touch a ton of playbooks.
Would it be considered a bug/feature request to get the credential type “Microsoft Azure Resource Manager” to also set env vars that match the Microsoft requirements so it would work with the lookup without any other intervention?
Or should I make my own credential type to make my own workaround so these match?
Surely I’m not the only one who has tried this, so also wondering if I’m missing something simple in my method.