Best practices for specifying hosts and credentials in job templates?

Hello, I’m trying to figure out the best way to run fact gathering playbooks against different groups of hosts in AWX.

Let’s say that I have a bunch of Cisco devices, and I want to run the ios_facts module against them. However, the credentials are different for many of these devices. I’m wondering what the best way to setup the playbook, job template, and groups in order to do this.

One requirement is that each credential be encrypted in the vault, not sitting plaintext as a host or group variable.

I was thinking about making the ‘hosts’ field in the playbook could be a variable which is set with a survey per job template, and then I specify the credentials per job template.

How do you folks handle this?

Hi,

whats your problem with group/hostvars? They can be encryped either. See “ansible-vault encrypt_string”.
If you really don’t want to use these vars you could use a dynamic var include in a role.

role/vars/credentials/serverA.yml

include_vars:
file: credentials/{{ dynamicServerName }}.yml

There are a lot of other options, but I suggest using group/host_vars.

The issue is that I need to be able to do everything without the ansible command line or SSHing into the ansible node. Everything needs to be done through the AWX web interface, which is why I have been needing to use AWX Credential objects for each node.

Is there any way to add new credentials per device to the vault through the AWX interface?