How to use an inventory variable in a lookup of aws secret?

PB70 · July 12, 2024, 7:42pm

I am trying to lookup an aws_secret using the lookup functionality, but I want the path to the secret I lookup to come from an inventory variable. That way I can have a different secret for each environment (dev, stage, prod) and lookup the appropriate secret.

for example, have a inventory variable that looks like this:
db_password_path=dev/db_password

and a lookup that looks like:
"{{ lookup('amazon.aws.aws_secret', '' + db_password_path ) }}"

when I run my playbook I get this error:

objc[21349]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
ERROR! A worker was found in a dead state'''

jrglynn2 · July 12, 2024, 7:52pm

I have never used an AWS Secret with a / in the name - to be clear, the name of your AWS Secret is dev/db_password?

If so, maybe that variable needs quotes? Maybe it should be:

db_password_path="dev/db_password"

I use a lookup like this that works fine - ansible_user: "{{ lookup('amazon.aws.aws_secret', 'ansibleTEST.user', region='us-east-1', nested=true) }}" - where ansibleTEST is the name of my AWS Secret document, and user is the secret I am looking up.

PB70 · July 12, 2024, 8:13pm

Yes, most of our AWS Secret’s have a / in the name. And that doesn’t appear to be the problem here. I did try putting quotes around the secret name as suggested, same error message.
If I understand correctly the difference between your example and my use case is that “ansibleTest” is the literal name of your secret. I want db_password_path to dereference to the value “dev/db_password” which is the literal name of my secret. And I am getting a runtime error that is causing the python code to crash.

jrglynn2 · July 12, 2024, 8:41pm

Yeah, unfortunately I can’t help with the runtime error…

I would try hard-coding the value in, to ensure that the lookup works - at least that will narrow down the issue to the variable.

I have used the same format with a variable:

aws_secrets_user: "{{ lookup('amazon.aws.aws_secret','{{ aws_secret_name }}.user', region='us-east-1', nested=true) }}"

That also works fine for me…

PB70 · July 12, 2024, 9:01pm

Thank you for that snip it of code. That gives me hope that I might be able to get this to work. I did hard code the variable name and I get the same error. So now I’m not sure what is causing it. Will have to keep digging into it.

flowerysong · July 12, 2024, 10:54pm

This is a known issue with running Ansible on MacOS, not anything to do with using inventory variables.

https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#running-on-macos-as-a-control-node

PB70 · July 15, 2024, 5:33pm

Thank you. This post probably saved me a bunch more time trying to figure out the issue. That recommendation did get me past this problem and on to the next one.

jrglynn2 · July 16, 2024, 6:19pm

Cool glad we could help. To help others using the forum, you can mark this as solved and choose whichever comment resolved the issue.

system · August 15, 2024, 6:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.