Including a Credential to the template during execution(Run Only)

Get Help
1

Hi all,
Greetings … My first post here

I am looking for a help in the features available with the AWX V 24.0.0.

I have a Credential of “Private-key from file” “key1” which is used by template “Template1”.

I used to rotate the contents of key1 with an ansible playbook using awx.awx.credetial module .
To have a backup of key1 which is required for the execution of another template “Template2” , key2 is crearted before the ansible playbook is executed and contents of key1 is rotated (i.e a copy of key1 is made in key2 using copy_from of awx.awx.credetial before it is renewed)

The credential key2 is to be used by template “Template2” which is also working .
However the challenge is that ,

  1. The Copy_from of awx.awx.credetial module does not update the contents if the key2 already exists.(No Override/Overwrite option ??)
    Only a new key2 is created everytime.(have to configure/attach the credential key2 at the execution of “Template2”)

  2. Is that possible to attach the credential “key2”[not manaully) to “Template2” using the curl/api during execution only ?
    I mean the Credential “key2” needs to be part of “Template2” during execution, as the key2 will be created 5 minutes before the start of “Template2” execution.

    OR

  3. Is there a way to read the contents of Credential of “Private-key from file” “key1” and write to a file “mykey.pem” in the Execution-Environment?
    This will help me to clear all my challenges . So that I can write the contents to the “key2” using api and URI module.

2

Hi there!

To answer the question, from what I know, AWX/AAP Controller will guard whatever key is stored and I’m pretty sure it’s a one-way street, you can only put secrets in and use them, but you cannot get them out.

That said, why don’t you flip it around? Instead of trying to manage existing keys in your AWX instance with Ansible, use Ansible to manage the available keys in your AWX instance.

I’ve set up my AAP controllers (I work in a MST for multiple clients) with this role GitHub - Thulium-Drake/ansible-role-aap_controller: Ansible Automation Platform Controller as code, powered by Ansible (it also should work on AWX :wink: ), where the rule is: “If it isn’t in Ansible, it doesn’t exist”.

This will also help you in case your AWX instance gets borked by whatever reason, or, like in my case, you need to deploy a new/second one with the same baseline configuration already present.

1 Like
3

Thanks . I will try to understand your use-case GitHub - Thulium-Drake/ansible-role-aap_controller: Ansible Automation Platform Controller as code, powered by Ansible .and re-use it for my requriement.

In Between, I am trying to succeed the below curl command where the AWX job is not reading the credentials which I am passing.

curl -k -s --header 'Authorization: Bearer XXXXqviguXXXXXXXXXXX'' -X POST -H "Content-Type: application/json" "https://myawx.net/api/v2/job_templates/15/launch/" --data '{ "extra_vars": {"machineName": "10.x.x.20", "credentials": [ {"name": "pub-key2', "kind": "public-key"}, {"name": "pri-key2", "kind": "Private key to tmpfile"} ] }}'