Permit vaulted passwords in extra variables via Tower

Spiro_Mitsialis · March 10, 2020, 5:46pm

I’m using Tower 3.6.2 with Ansible 2.9.2.
I have a “credential” with a vault password and have it associated with a template. I’m trying to add a vaulted variable as an extra variable at either the inventory or template. I use the following to create:

echo -n 'password' | ansible-vault encrypt_string --stdin-name 'variable_name'

which gives:

cmdb_client_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
65313832653034653135666634623466313430336361326261396230633031396431373561623036
61323136633637333035383536333561306

TOWER EXTRA VARIABLE:

{
“cmdb_client_secret”: {
“__ansible_vault”: “!vault | $ANSIBLE_VAULT;1.1;AES256 663835616563613939386664626537356238623762383365393…”
}
}

I’ve tried adding it as json in tower and it accepts it but its not decrypted. I see uses the exact string instead. I’ve tried with and without the __ansible_vault (as per above). It works if I enter it into the playbook but this is problematic as I have dev, QA and prod environment with different url/username/pw.

How do I enter it so that its decrypted.

Jake_McDermott · March 11, 2020, 1:13pm

There is a vault credential type in Tower. You should:

create a vault credential using the vault password needed to decrypt the secret you’re using in the playbook / vars.
assign that vault credential to the job template(s) you use to run the playbook

Topic		Replies	Views
Problems with Vault in AWX Inventory AWX Project awx	3	2	August 24, 2022
can't add vault-encrypted vars to template AWX Project	1	0	March 21, 2019
Using vaulted variables with extra variables UI playbook AWX Project windows	2	0	October 8, 2018
Single Encrypted Value AWX Project awx	4	0	November 29, 2017
create an vault in AWX 5.0 multi environment AWX Project awx	4	0	June 29, 2019

Permit vaulted passwords in extra variables via Tower

Related topics