Has anyone created a custom credential plugin of any kind for AWX running execution environments?
More specifically I’m wondering if anyone has handled target hosts with unique credentials. I know ansible-runner allows for creating a host_vars directory with host creds but wondering how that works with AWX, I assume the credential plugin would have to live on the EE and write those unique files but how can one actually test easily without having to rebuild the EE each time a change is made to the plugin. I’d assume if the plugin is only on the controller it couldn’t write to the EE then so not sure how each hosts credential would be set. I have hosts part of the same cluster but all have unique credentials and we can’t use ssh keys or service accounts. Only OS level accounts.
Currently the credential plugins are embedded into AWX itself so you’d have to provide a custom AWX web container image containing your plugin. The real limit is that we are only able to provide a single machine credential backed by a credential plugin to a job.
You could write a vars plugin though and embed that into your EE. That would replicate the host_vars behavior from runner and does have some interesting legs. This is definitely a common ask.
I was able to follow this GitHub - ansible/awx-custom-credential-plugin-example: An example custom credential plugin for Ansible AWX and Red Hat Ansible Tower and get a custom plugin to show up in AWX, used it once, see that it logged output. Made an update to the code, updated the version and now it doesn’t seem to run at all. Seems very clunky trying to manage custom plugins. I know I could use a lookup plugin but I don’t want to update 100’s of playbooks as depending on the user they may or may not be able to use their creds vs trying to pull from our custom vault.