Handle Vault credentials type in AWX

Get Help
,
1

Hi

In order to improve my AWX management for my team, i’m currently trying to configure Hashicorp Vault Credentials but i’m having some errors and doubt.

Usually in my Ansible project I run from a Debian server, I’m used to set up Vault secrets using lookup like this (works in var file or within vars:)

### Vault Configuration
ansible_hashi_vault_token="{{ lookup('env','VAULT_ANSIBLE') }}"

my_secret="{{ lookup('community.hashi_vault.vault_kv2_get', 'my_secret', engine_mount_point='kv/', token=ansible_hashi_vault_token) }}"

#### Credentials (compte de service ansible) ####
ansible_user="{{ my_secret.secret.ansible_user_from_vault}}"

Ansible will seek for an environment variable which is called ‘VAULT_ANSIBLE’ that is the result token of an AppRole call to my vault server. It allows to run playbook without writing any token in the code.

Now after adding project in AWX, i’m trying to make the Vault part working =>

  1. I created Credentials with HashiCorp Vault Secret Lookup as you can see here. Simply add Server URL + Token for testing.

    VAULT_AWX1
    VAULT_AWX11645×855 31.3 KB

  2. When I click on Test, no matter what secrets I want to retrieve I always have this error

    VAULT_AWX2
    VAULT_AWX2796×679 21.9 KB

Here’s my questions :

  • which log file can give me more information about the credentials/api call to Vault?
  • Is there any thing I miss for this peculiar configuration ? should i try to add my root CA or intermediate CA while configuring credentials ? if yes which cert format should it be ?
  • is there a proper way/another way to use Vault lookup within AWX ?

I saw on many forum that people are creating custom Credential Types, then use an Injector to use vault lookup.

Thanks a lot for your help
Gael

EDIT 12 12 2023
Found the logs (using kubectl logs my-pod) corresponding to the Test credential. Seems to be a django Bad Request but don’t know how to investigate that;

2023-12-12 14:40:40,628 WARNING  [4fdf7cfc36804499b34fa50a28369fb7] awx.api.generics status 400 received by user admin attempting to access /api/v2/credentials/5/test/ from 10.10.10.10
2023-12-12 14:40:40,635 WARNING  [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
2023-12-12 14:40:40,635 WARNING  [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
10.10.10.10 - - [12/Dec/2023:14:40:40 +0000] "POST /api/v2/credentials/5/test/ HTTP/1.1" 400 21 "https://my-awx.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" "10.230.173.133"
[pid: 23|app: 0|req: 228/1089] 172.20.245.206 () {72 vars in 2440 bytes} [Tue Dec 12 14:40:40 2023] POST /api/v2/credentials/5/test/ => generated 21 bytes in 76 msecs (HTTP/1.1 400) 14 headers in 598 bytes (1 switches on core 0)
2

After many tests and troubleshoot, finally ends up with a working solution :

  1. I provided the root + intermediate certificate as a pem file in the credentials settings (be careful to have the correct cert, in the correct order, in pem format : intermediate + root
  • From this, it moves from SSLError to HTTP 404
  • After some tests the perfect setting to make it work was this one

enter image description here

I perform some other test without certificate and I have SSLError everytime.

  1. Don’t forget to select v2 for the API version in credentials settings
    enter image description here

Conclusion : you should provide your custom CA content or as a file in the credentials settings.