I have created a vault password in AWX and I would like to use it in a playbook.
something like
- name: Backup AWX
debug:
msg: username=john password={{ ansible_vault_password }}
how do I do this?
Thanks
The vault password credential type allows you to decrypt vaults within your playbook.
Lets say john’s password is asdf1234 and you want to use that in the task your presented.
First create a vault for johns password like:
echo -n ‘asdf1234’ | ansible-vault encrypt_string --ask-vault-pass
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)!vault |
$ANSIBLE_VAULT;1.1;AES256
30313764383134623834376663376435336330316134366562626464373738306239323633623963
3763313333616166666134613138393739373933326338660a626562646136393864663064353134
37623163336337333535353533303233366136326430373930623230356333343961336230633739
3231376663343163330a363261376639313238656234393336386661363938643739663565346662
3630
Encryption successful
Note, this command asked me for a vault password. Here I entered something different then ‘asdf1234’, lets say ‘qwerty1234’.
Now this vaulted text can be put into your playbook:
- name: Run AWX backups
hosts: my_backup_server
vars:
johns_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30313764383134623834376663376435336330316134366562626464373738306239323633623963
3763313333616166666134613138393739373933326338660a626562646136393864663064353134
37623163336337333535353533303233366136326430373930623230356333343961336230633739
3231376663343163330a363261376639313238656234393336386661363938643739663565346662
3630
tasks: tasks:- name: Backup AWX
debug:
msg: “username=john password={{ johns_password }}”
If you try to run this playbook without specifying the vault password you will get an error like:
fatal: [localhost]: FAILED! => {“msg”: “Attempting to decrypt but no vault secrets found”}
Now you can create your vault password credential in Tower giving it the password to unlock the vault (qwerty1234 in our example) and apply this credential to the job template.
AWX will pass the vault password into Ansible and Ansible will use the password to unlock the vault and your playbook with now run:
ok: [localhost] => {
“msg”: “username=john password=asdf1234”
}
There are several ways to use vaults in your playbooks, I chose to embed them as vars in this example because its compact. See the documentation for other methods.
Ansible vault docs: https://docs.ansible.com/ansible/latest/user_guide/vault.html
Tower vault credential type: https://docs.ansible.com/ansible-tower/latest/html/userguide/credentials.html#vault
In addition, there are other credential types including custom credentials in AWX.
If you don’t want to use the vaulted method and instead want to embed a password as a variable directly as your did in your example have a look at the custom credential types in AWX:
https://docs.ansible.com/ansible-tower/latest/html/userguide/credential_types.html
-John
works brilliantly, thank you