vault variable is not decrypted when using ansible_vault

Sam2 · November 20, 2018, 12:31pm

Hello Everyone,

In my case I am trying to pass my password to a command, thus I am using vault encrypt_string, I followed the steps as in:

github.com/ansible/awx

Support vault encrypted secrets in the inventory source

opened 05:05PM - 20 Sep 17 UTC

closed 07:46PM - 01 Aug 18 UTC

dzeban

type:enhancement component:api component:ui

##### ISSUE TYPE - Bug Report ##### COMPONENT NAME - API ##### SUMMA…RY AWX inventory source can't handle Vault encrypted secrets for the simple ini-like inventory ("Sourced from the project" in the UI). For example, I have an ini-like inventory and a few variables in the `group_vars` that are encrypted with Ansible Vault (like in [this example repo](https://github.com/dzeban/example-ansible-vault-inventory)). When I add this inventory source and try to sync it I get the following error: ``` 2017-09-20 11:45:09,104 INFO awx.main.commands.inventory_import Updating inventory 2: Production 2017-09-20 11:45:09,114 DEBUG awx.main.commands.inventory_import Using backported ansible-inventory module: /usr/lib/python2.7/site-packages/awx/plugins/ansible_inventory/backport.py 2017-09-20 11:45:09,114 INFO awx.main.commands.inventory_import Reading Ansible inventory source: /var/lib/awx/projects/_6__myproj/inventory 2017-09-20 11:45:09,114 INFO awx.main.commands.inventory_import Command: ['/usr/lib/python2.7/site-packages/awx/plugins/ansible_inventory/backport.py', '-i', '/var/lib/awx/projects/_6__myproj/inventory'] Traceback (most recent call last): File "/usr/bin/awx-manage", line 9, in <module> load_entry_point('awx==1.0.0.487', 'console_scripts', 'awx-manage')() File "/usr/lib/python2.7/site-packages/awx/__init__.py", line 107, in manage execute_from_command_line(sys.argv) File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/__init__.py", line 354, in execute_from_command_line utility.execute() File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/__init__.py", line 346, in execute self.fetch_command(subcommand).run_from_argv(self.argv) File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/base.py", line 394, in run_from_argv self.execute(*args, **cmd_options) File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/base.py", line 445, in execute output = self.handle(*args, **options) File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/base.py", line 661, in handle return self.handle_noargs(**options) File "/usr/lib/python2.7/site-packages/awx/main/management/commands/inventory_import.py", line 956, in handle_noargs self.is_custom) File "/usr/lib/python2.7/site-packages/awx/main/management/commands/inventory_import.py", line 211, in load_inventory_source is_custom=is_custom).load() File "/usr/lib/python2.7/site-packages/awx/main/management/commands/inventory_import.py", line 180, in load data = self.command_to_json(base_args + ['--list']) File "/usr/lib/python2.7/site-packages/awx/main/management/commands/inventory_import.py", line 163, in command_to_json self.method, proc.returncode, stdout, stderr)) RuntimeError: ansible-inventory backport failed (rc=1) with stdout: stderr: ERROR! Decryption failed on /var/lib/awx/projects/_6__myproj/inventory/group_vars/aws/credentials.yml ``` You can't set Vault credential for the inventory source - trying to add it via UI shows "NO CREDENTIALS HAVE BEEN CREATED" window. Even if you set the Vault credential by typing its name in the input field it's still not used - I get the same error. ##### ENVIRONMENT * AWX version: 1.0.0.487 * Ansible version: 2.3.2.0 * Operating System: Debian 8 * Web Browser: Google Chrome 61 ##### ADDITIONAL INFORMATION I'll gladly help with fixing this if somebody would give me some hints. I've tried to hack the patch by myself but I can't figure out how to pass vault credential from `RunInventoryUpdate` task to the `inventory_import.py` management command.

1- I have vault credential with same Vault ID I used to encrypt my password

2- the variable is defined in template extra variables:

However the secret is not decrypted, I tried to print the var and it is printing the encrypted value:

20
“secret_var_name”: {

21
“__ansible_vault”: “$ANSIBLE_VAULT;1.2;AES256;samer\n38376137646163323539306639336232623239306661346364663439393838666231346433306364\n6361333538373761376435343335613830623837623664610a643938616264346436633137376263\n31616434363032326465633830316366383136343062383661383435636630346233353262643535\n3537383466393766300a616166346634393336336436636133356565363034653737373936363834\n3733”

22
}

AlanCoding · November 20, 2018, 1:38pm

You cannot use this feature with job template extra_vars. This is because we do a behind-the-scenes YAML conversion without the needed mock-object utilities in the decoders / encoders. I have a proposed fix at:

https://github.com/ansible/awx/pull/2297

(attachments)

Sam2 · November 20, 2018, 2:04pm

Thanks Alan,

I went through the link but honestly I couldn’t understand the proposed solution, should I use JSON code for vault var or should I use: https://gist.github.com/sivel/6991a5abcfc41bb2872d5898213575eb script ? and not usre really how to use.

Thanks
Samer

(attachments)

AlanCoding · November 20, 2018, 2:07pm

There is no way to use this feature (pasting that syntax into job template extra_vars) without that fix. There is also no way to use the YAML marker for vault content. In other words, right now, there is no way for you to use encrypted vault content in job template extra_vars.

(attachments)

Sam2 · November 20, 2018, 2:15pm

Got it thanks a lot

(attachments)

Sam2 · November 21, 2018, 2:42pm

Hello Alan,

I was thinking about the vault topic again and I went through you illustration to use vault encrypted vars, this mean that AWX admin can decrypt any encrypted vault var by assigning the to the right vault credentials in a job template, I believe AWX template has permission to credentials and can easily use any of them so he can use them to decrypt secret vars/files. right ?

Thanks
Samer

(attachments)

AlanCoding · November 21, 2018, 5:51pm

The superuser with access to the server can ultimately decrypt everything you save one way or the other.

AWX template has permission to credentials

You need use role for the credential to use it in a template. Then, the credential, combined with the variables, can decrypt them and use or echo the plantext value within the ansible-playbook runtime context.

If you want to protect your secrets from all other users, use credential prompt on launch. When you launch, you type in your password, and then the server will forget the provided password after the work is finished. Of course, there could still be artifacts in the job data, depending on how you write your playbooks.

(attachments)

Topic		Replies	Views
"Decryption failed (no vault secrets were found that could decrypt)" AWX Project awx	4	10	July 20, 2023
encrypted strings AWX Project awx	1	0	November 27, 2019
Problems with Vault in AWX Inventory AWX Project awx	3	2	August 24, 2022
Trying to figure out how to import an inventory with vaulted variables from a Git Repo AWX Project	0	1	November 6, 2018
AWX - Can not sync Inventory from Project Source Get Help awx	4	204	July 1, 2024

vault variable is not decrypted when using ansible_vault

Related topics