Single Encrypted Value

chris.he.kn · November 22, 2017, 8:27am

Hi

I am trying to add Single Encrypted Values to host variables in AWX - see http://docs.ansible.com/ansible/latest/playbooks_vault.html.

The UI errors with message

data : [object Object] status : 400 headers : function (name){if(headersObj||(headersObj=parseHeaders(headers)),name){var value=headersObj[lowercase(name)];return void 0===value&&(value=null),value}return headersObj} config : [object Object] statusText : BAD REQUEST xhrStatus : complete

if I use the example from the above ansible docs.
Anybody any idea how to get this working.

Regards

Chris

AlanCoding · November 27, 2017, 4:45pm

You can’t just paste in vaulted variables into the UI. We are working on allowing you to import vaulted variables within an inventory import, but that is still in-progress. This new feature would allow you to save vaulted variables inside of source control, and then import those variables into AWX. We are still unsure if we would have any obfuscation or encryption for those variables after they are imported. There are not any plans for a feature to allow manual copy and pasting of vault content into the UI for host/inventory/group variables.

Robin_Miller · November 29, 2017, 4:00pm

Huh - I hadn’t played with it yet but had assumed we could do this and was planning to use it. So, to clarify, we can’t use individual encrypted variable values on Inventory resources, but we can in individual Job Template Extra-Vars?

-R

AlanCoding · November 29, 2017, 7:39pm

I have not actually tested giving a job template variable a vault-encrypted value in the UI, but I suspect it would work. This is because Ansible core does all the magic for detecting individual vault variables, and the vault credential you attach enables the job to respond to the prompt for the vault password.

Inventory imports have an extra layer of indirection. They are invoked by an awx-manage command, which is a custom Django management command. My first attempt at this feature involved using python’s Popen to pass through any password prompts to the management command into the subprocess running ansible-inventory. We will still do something like this, but because there are multiple prompts for vault credentials in Ansible 2.4 (organized by vault id), we will need to use the full power of pexpect. That means that we’ll run ansible-inventory inside of the pexpect, inside of a management command inside of pexpect.

In summary, yes, I agree with what you are saying.

Bill_Nottingham1 · November 29, 2017, 7:55pm

Alan Rominger (arominge@redhat.com) said:

I have not actually tested giving a job template variable a vault-encrypted
value in the UI, but I suspect it would work. This is because Ansible core
does all the magic for detecting individual vault variables, and the vault
credential you attach enables the job to respond to the prompt for the
vault password.

IIRC, this doesn't work because something in the variable validation falls
over before it is saved. Haven't tried in the past couple of months, though.

Bill

Topic		Replies	Views
encrypted strings AWX Project awx	1	0	November 27, 2019
vault variable is not decrypted when using ansible_vault AWX Project awx	6	2	November 21, 2018
Problems with Vault in AWX Inventory AWX Project awx	3	2	August 24, 2022
"Decryption failed (no vault secrets were found that could decrypt)" AWX Project awx	4	10	July 20, 2023
can't add vault-encrypted vars to template AWX Project	1	0	March 21, 2019

Single Encrypted Value

Related topics