Hello,
In my playbook I’m using the hashi_vault lookup. According to the specification of the plugin, one way to authenticate against vault is to use the VAULT_TOKEN environment variable (see https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)
As there are no way to modify the environment variables during an ansible play, I wonder how I can set this variable in AWX for a job. You can use a functionality called Survey, but it prompts for this before each run.
Ideally, the VAULT_TOKEN is stored in a file with privileged access only, or stored as a credential in AWX.
How can this be acheived?
Thanks for any input on this subject.
//Jan
I haven’t tried this myself, but I’d imagine using HashiCorp Vault Secret Lookup credential type and attaching it to the template would expose the token to the job.
https://docs.ansible.com/ansible-tower/latest/html/userguide/credential_plugins.html#hashicorp-vault-secret-lookup
This will likely require a custom credential type to inject the VAULT_ADDR and VAULT_TOKEN values as environment vars during a job template run. The approach is described in this blog post: https://www.ansible.com/blog/ansible-tower-feature-spotlight-custom-credentials
The newer, built-in HashiCorp Vault Secret Lookup credential type works by being “linked” to another credential type as an input source for specific fields, as described here: https://docs.ansible.com/ansible-tower/3.6.2/html/userguide/credential_plugins.html#configure-and-link-secret-lookups
@Ryan
Perfect, the blog post explains how to perform just that. It works like charm. Thanks a lot !
//Jan
Hi, did you added the credential to the job itself?
Edit the job and on the credentials field add the same.
Thanks, I missed that obvious part of the equation. Thanks it works as intended.
//Jan