Hi,
I have a vault.yml file and when I run a playbook from AWX that refers to a variable from the vault file, I got an error telling me that the variable can’t be found. How can I use a vault in AWX?
You’ll need to set up a vault credential and associate it with the job template that you are running.
I forgot to mention it, but I already have the vault credential setted up and associated to my job template. Is there a precise folder where I should put the vault.yml file? For now, I have put it in the group_vars/all subdirectory of my inventory. Is it OK?
All you should need to do is stick it in a location that ansible would normally load vars from. Or if that’s not possible, include it directly.
What do you mean “include it directly”?
Since I am able to run my playbooks manually on the server, it means that my vault.yml is loaded…
Here is the output from AWX:
TASK [deploy_scripts : Create the SSH private key file] ************************
09:18:56
77
fatal: [cls1-labo-04.capitale.qc.ca]: FAILED! => {“failed”: true, “msg”: “the field ‘args’ has an invalid value, which appears to include a variable that is undefined. The error was: ‘vault_auto_it_bitbucket_private_key’ is undefined\n\nThe error appears to have been in ‘/var/lib/awx/projects/_6__conformite/roles/deploy_scripts/tasks/deploy_scripts.yml’: line 68, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Create the SSH private key file\n ^ here\n”}
And here is the validation that the variable exists in the vault.yml file:
ansible-vault view /data/jfanctil/projects/ansible-inventory/inventories/group_vars/all/vault.yml| grep vault_auto_it_bitbucket_private_key
Vault password:
vault_auto_it_bitbucket_private_key: |
What am I doing wrong?
FYI: my setup is like this: I have 2 projects: one for my playbooks and one for my inventory. So, my template is bind to the playbooks’s project and my vault.yml resides in the inventory’s project. Could it be the problem?
Yep, the two project setup is a problem for your use case. The vault file needs to live in the same repo as your playbook. Once you do that, you can use a machine credential, associated with your job template, that contains your vault password.
http://docs.ansible.com/ansible-tower/latest/html/userguide/credentials.html#machine
Jean-Francois Anctil (anctil.jeff@gmail.com) said:
I forgot to mention it, but I already have the vault credential setted up
and associated to my job template. Is there a precise folder where I should
put the vault.yml file? For now, I have put it in the group_vars/all
subdirectory of my inventory. Is it OK?
Are you using inventory from a project? Inventory from a project does not
currently support vaulted variables.
Bill
Yes, that’s what I am using, because I didn’t find a way to retrieve my inventory from a on-premise git repository. The only options available for sources are “solutions” one. Our inventory is stored in a git repository and that’s why I used a project to retrieve it… Do you have another idea on how we should do it?
It works when running it manually:
awx-manage inventory_import --inventory-id={{id}} --source inventory/ --overwrite --overwrite-vars
If you have a local ansible.cfg with the setting for vaultpassword-file it will actually use that.
Unfortunately, this makes it is no longer a dynamic inventory.
It sounds like your question comes down to this enhancement issue that we have open.
https://github.com/ansible/awx/issues/223
The need for this is new with the introduction of SCM-based inventory, and ansible-inventory allows for it. I’m very excited about adding this, but we still need to pass through the data in a secure way from the code that runs the task to the inventory import management command. So there is work to be done.
Until that’s done, you might also be able to accomplish your overall goal using the custom credential type injection methods - you save your secret data in a credential, and use it in the script.
Alan