TechQA.

How to set up a playbook to use vault when run from engine, and to skip vault when run from Tower/AWX

753 views Asked by At

I was unable to find documentation or Q&A covering this specific topic. I'm posting it here with the answer in the hopes that someone finds it useful. I am a member of a small group of automation engineers. One task is to provide automation in Tower for other engineers and admins.

The automation team is happy with our current setup which allows us to run plays from the commandline without locking our accounts, without typing a password every time, and with no passwords stored in plain text:

  • We use an ansible vault stored in each admin's profile to store encrypted login credentials, along with a gpg armored key. Each vault uses teh same name, similar to ~/.ansible/vault.yml
  • A script extracts the key and unlocks the vault.
  • The script is defined in ansible.cfg, [defaults], vault_identity_list.
  • the playbooks load the vault with vars_files

Tower in job isolation mode cannot access home directories. And we do not want vault+key outside the admin's home folder, subject to random prying. Tower has its own vault system that we use when using tower. We want to maintain our current method of commandline runs, but be able to use the same playbook in Tower and Engine.

I tried:

  • Forcing tower to read the vault. (no joy)
  • Playbook with vault commented out. (This worked in tower, but I had to toggle the commenting to run from commandline. Put a pin in this as a last resort.)
  • Using conditional to only load vars_files when ansible_user is not awx. (Well guess what, it still runs as the user who triggers the job. Put a pin in this to find another variable that is consistent and indicates tower is the platform.)
  • Using tags and skip-tags within tower to skip vars_files (no joy. Tags don't work on vars_files:)
ansible ansible-awx ansible-tower
Original Q&A
1

There are 1 answers

1
Jeter-work On

What I found that worked:

  • skip-tags does exactly what I needed to do
  • learned about include_vars (this is a task module that can be tagged)
  • learned about pre_tasks (since we're including the become credentials in the vault, regular tasks would never be reached because 'no SUDO credentials' would prevent tasks from being run)

so:

pre_tasks:
- include_vars: ~/.ansible/vault.yml
  tags: engine

and, in Tower, set the job template to skip-tags: engine

Now the same play works in or out of Tower. With minimal authentication. Without plaintext passwords.

Related Questions in ANSIBLE

Related Questions in ANSIBLE-AWX

Related Questions in ANSIBLE-TOWER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions