Is there a way to decrypt the AWX Vault password that is encrypted if the copy of plain-text password is lost. We somehow need to decrypt it first as it is the master password using which we encrypted all our playbooks. We are not using any password file in the configuration
We have 2 types of credentials 1)Credential type -Vault which was used to encrypt vault password 2)ssh keys of cateogry Machine type to encrypt private key
We need to somehow reset or decrypt the vault password to decrypt ssh keys
Also where can I find ansible.cfg as my ansible running as docker instance in AWX
First, I want to preface that AWX is not a Secrets Manager. It does have a Secrets Vault, and it integrates well with external SM’s, but it doesn’t provide you with any direct way to expose its stored secrets. It isn’t meant to be used that way.
Second, AWX doesn’t provide any way to retrieve encrypted secrets as plaintext, but in some cases you can deliberately expose them in a carefully constructed playbook that echos the variables to stdout. However, there isn’t a way to expose the Vault password secret itself as plaintext as far as I can tell. Ansible doesn’t provide a way to do that, and AWX sends it as an stdin reply to --ask-vault-pass on job invocation; so there’s no variable or even a vault-password-file to expose.
Now, provided that you still have the vault password saved as an AWX Credential, you can expose your ansible-vaulted secrets in your playbooks like I described above to recover them, and re-encrypt them under a new and known vault password (store this in a proper external Secrets Manager!).
If you have already modified or deleted that vault credential in AWX, then you’re probably SoL. If you have routine backups of the Postgres DB, you might be able to restore an old backup to restore the credential, but you would still need to decrypt/re-encrypt your secrets with a new and known vault password.
Edit:
If you don’t know the password because it was created by an ex-employee, then there may be some hope in a little forensics. They might have created a vault-password-file and saved it somewhere on their linux work computer, and then pointed to it in ansible.cfg (or if they only passed as cli, that might be visible in their bash history).
Apologies for late reply. I can’t find awx-manage command. Btw our awx envrionment is running on docker instances .I tried to install awx-mange from the repos (RHEL8) but can’t find it.
Thanks @Denney-tech@Klaas . I’m able to retrieve the key which was of credential type “Machine” but trying to retrieve vault password which is failing. Can you help with me the command to retrieve the encrypted credentials of type “Vault” as well as “Source Control”