"Hello Ansible/AWX Community,
I’m using AWX Tower and trying to implement certificate-based SSH authentication via HashiCorp Vault. I’m using the built-in ‘HashiCorp Vault Signed SSH’ credential type, which works well for initial connections.
However, I’m facing an issue with certificate TTL (Time-To-Live) for long-running jobs, especially those involving host reboots. The built-in credential type does not expose an option to specify the certificate TTL when requesting it from Vault.
To work around this, I attempted to create a custom credential type in AWX, including a ‘TTL’ field, with the intention of using it to request certificates with a longer validity period directly in my playbooks.
My problem is:
A custom credential type cannot be selected as the ‘Signed SSH Certificate’ within a standard AWX Machine Credential. This means I cannot leverage the custom TTL field while still using the integrated machine credential functionality that my existing playbooks rely on.
Is there a recommended approach or a known method to:
- Pass a custom TTL to the HashiCorp Vault SSH credential when using the built-in type?
- Or, enable a custom credential type to be used as a ‘Signed SSH Certificate’ within a Machine Credential?
Any guidance or best practices for managing certificate TTL with Vault and AWX for long-running jobs would be greatly appreciated.
MY AWX Version : AWX 24.6.0
Ansible core Version: 2.16.14
Thank you!"