How to decrypt the AWX vault password

ashok453 · March 22, 2024, 5:32pm

Is there a way to decrypt the AWX Vault password that is encrypted if the copy of plain-text password is lost. We somehow need to decrypt it first as it is the master password using which we encrypted all our playbooks. We are not using any password file in the configuration
We have 2 types of credentials 1)Credential type -Vault which was used to encrypt vault password 2)ssh keys of cateogry Machine type to encrypt private key

We need to somehow reset or decrypt the vault password to decrypt ssh keys

Also where can I find ansible.cfg as my ansible running as docker instance in AWX

Denney-tech · March 22, 2024, 6:54pm

First, I want to preface that AWX is not a Secrets Manager. It does have a Secrets Vault, and it integrates well with external SM’s, but it doesn’t provide you with any direct way to expose its stored secrets. It isn’t meant to be used that way.

Second, AWX doesn’t provide any way to retrieve encrypted secrets as plaintext, but in some cases you can deliberately expose them in a carefully constructed playbook that echos the variables to stdout. However, there isn’t a way to expose the Vault password secret itself as plaintext as far as I can tell. Ansible doesn’t provide a way to do that, and AWX sends it as an stdin reply to --ask-vault-pass on job invocation; so there’s no variable or even a vault-password-file to expose.

Now, provided that you still have the vault password saved as an AWX Credential, you can expose your ansible-vaulted secrets in your playbooks like I described above to recover them, and re-encrypt them under a new and known vault password (store this in a proper external Secrets Manager!).

If you have already modified or deleted that vault credential in AWX, then you’re probably SoL. If you have routine backups of the Postgres DB, you might be able to restore an old backup to restore the credential, but you would still need to decrypt/re-encrypt your secrets with a new and known vault password.

Edit:

If you don’t know the password because it was created by an ex-employee, then there may be some hope in a little forensics. They might have created a vault-password-file and saved it somewhere on their linux work computer, and then pointed to it in ansible.cfg (or if they only passed as cli, that might be visible in their bash history).

ashok453 · March 23, 2024, 4:42am

Thanks

That is right.The people who implemented this 3yrs ago are no longer with the company and I have recently joined this project.

Klaas · March 24, 2024, 7:55pm

if it’s saved in awx you can decrypt it awx/docs/credentials/extract_credentials.md at devel · ansible/awx · GitHub

Denney-tech · March 25, 2024, 2:19pm

Good find! I don’t know how I missed that.

ashok453 · March 28, 2024, 5:15pm

Apologies for late reply. I can’t find awx-manage command. Btw our awx envrionment is running on docker instances .I tried to install awx-mange from the repos (RHEL8) but can’t find it.

Denney-tech · March 28, 2024, 5:18pm

awx-manage will be inside of an awx-task container. You will need to exec into the container to do this.

Edit: something like this:
docker exec -it awx-task /bin/bash -c "awx-manage shell_plus"

ashok453 · April 1, 2024, 11:26am

Thanks @Denney-tech @Klaas . I’m able to retrieve the key which was of credential type “Machine” but trying to retrieve vault password which is failing. Can you help with me the command to retrieve the encrypted credentials of type “Vault” as well as “Source Control”

Denney-tech · April 1, 2024, 2:35pm

I created a “fake vault credential” object in my AWX 23.8.1 instance and was able to retreive the vault password with the following:

>>> from awx.main.utils import decrypt_field
>>> print(decrypt_field(Credential.objects.get(name="fake vault credential"), "vault_password"))
vault_foo_bar

Edit: for Source Control, I was similarly able to get the SSH Private Key, but there’s no passwords for my SCM so those fields are null.

>>> from awx.main.utils import decrypt_field
>>> print(decrypt_field(Credential.objects.get(name="Github - username"), "ssh_key_data"))

To see what fields are available, save your credential object to a var first.

>>> from awx.main.utils import decrypt_field
>>> foo_credential = Credential.objects.get(name="Github - username")
>>> foo_credential.display_inputs()
{'username': '<username>', 'ssh_key_data': '$encrypted$'}
>>> print(decrypt_field(foo_credential, "ssh_key_data"))

system · May 1, 2024, 2:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.