The problem
I need to cache an Oauth2 access token gained by a “client credentials flow” between AWX jobs. I can’t request it on every job run, since we’ll get rate-limited.
I searched these forums for #awx token and found nothing related to this problem.
The question
Is there any guidance / builtin method to cache that token between job runs? I read through “Credentials” in the Automation Controller docs and don’t see anything builtin for this Oauth flow.
The solution we’re considering
We’re considering creating a custom credential type that stores the client credentials and another custom type that only stores the bearer token + the expiration date. Our plugin which calls the API will update the bearer token via the AWX API if it is expired.
Let me know if you foresee problems with our planned solution or have a better idea. Thank you very much
I am very interested to read what other people think about this. The point is that I’m also studying solutions to solve this very same problem. I got a couple of ideas under the hat, but I still have to test them (the most promising one turns around using the K8’s secrets storage, something like in here). Again, I’m still on the research stage, so I haven’t tried what the blogpost I shared suggests yet.
Now, since I see that this is a more common problem than I thought, I’ll try to implement a PoC and get back to you, so we can help each other on finding the best way to tackle this.
Can you explain better your use case?
Oauth2 that you need to store is used by job or you have a call back plugin thst use it?
In any case in my experience there isn’t native way to do that with AWX, you need to create your own flow and probably other tool than awx need to be involved.
With information shared option shared by you @aj2s can be possible but you need to consider that you need to have an user in awx side that check the credential and update in on awx (with some permisison) when token need to be refresh ed.
Anyway, maintain an oauth2 in awx can be very triky and i have some doubt from security point of view (you can impersonate and so on)
The bearer token is used by a custom inventory plugin, so it’s used by the job if that makes sense.
Yes, I agree that updating AWX credentials from within a job is insecure, so after discussing with teammates we’ve ruled that out. We’re currently planning to store the bearer token in our external secrets storage instead, similar to what @jbericat thought of.
The next step is deciding whether to try and figure out how to make a credentials plugin to handle all this or do the secret storage fetch/update from within the inventory plugin.
At this point, we have a path forward! Thanks to you both for chiming in, I was mainly looking to know if there was an existing solution
Hi all, just to update, I ended up using Kubernetes Secrets for caching. I would’ve liked to use Hashicorp Vault, since we could use that for other aspects of our project, but this was easier to get working in a pinch
Great @aj2s! I’m glad I could lend you a hand with this matter
I still haven’t tried it yet, but knowing that K8’s secrets worked for you, I’ll give it a try too.
Cheers!
PS: Also, If you don’t mind checking the solved mark on the post you believe helped you the most, for housekeeping sake? This way other users with the same problem as you may find the solution faster. Thanks in advance!
on the post you believe helped you the most, for housekeeping sake? This way other users with the same problem as you may find the solution faster. Thanks in advance!