Awx: AWX doesn't use supplied Vault Password

Created on 21 Mar 2018  路  4Comments  路  Source: ansible/awx
ISSUE TYPE
  • Bug Report
COMPONENT NAME
  • UI
SUMMARY

AWX doesn't use supplied Vault Password if vault_password_file is set in ansible.cfg

ENVIRONMENT
  • AWX version: 1.0.4.91
  • AWX install method: docker on linux
  • Ansible version: 2.4.3.0
  • Operating System: CentOS 7
  • Web Browser: Opera 51.0.2830.55
STEPS TO REPRODUCE
  1. Create a new Project which syncs a repository from Git.
  2. Inside the Git-Repo there is a ansible.cfg in the root directory. There we configured an vault_password_file = vault_pass.txt (used for local development, not checked into Git/added to .gitignore)
  3. There's also some playbooks & inventory .yml-files. In the Playbook we load our ansible vault.yml using vars_files.
  4. Configure a Job Template which uses our playbook.
  5. Configure a Inventory which syncs from our inventory.yml
  6. Add a Credential of Type Vault with our Vault-Password to AWX.
  7. Configure this Credential inside the Job Template.
  8. Run the Job. It fails immediately with the following error:

ERROR! The vault password file /var/lib/awx/projects/_6__elaxy_ansible_deploy/vault_pass.txt was not found

  1. If i remove the vault_password_file from the checked in ansible.cfg, The Vault Credential from AWX is correctly used. Unfortunately this also means that for local development I have to manually enter the Vault Password or use some custom Environment Variables.
EXPECTED RESULTS

I expected Ansible to use the Vault Credential i explicitly configured and ignore the vault_password_file from the ansible.cfg. Unfortunately the Credential seems to be ignored and Ansible wants to use the (non-existing) Vault Password File instead.

ACTUAL RESULTS

The Job fails with the following error:

ERROR! The vault password file /var/lib/awx/projects/_6__elaxy_ansible_deploy/vault_pass.txt was not found

ADDITIONAL INFORMATION

image

ui bug
Source
picture anonfriese

Most helpful comment

I have the same issue with the same setup. I also expected from AWX to take the credentials that I provide in the Job template.

picture mia-fyayc on 22 Mar 2018
👍2

All 4 comments

I have the same issue with the same setup. I also expected from AWX to take the credentials that I provide in the Job template.

mia-fyayc picture mia-fyayc on 22 Mar 2018
👍2

I believe I reproduced your expectation here

https://github.com/AlanCoding/Ansible-inventory-file-examples/tree/master/issues/AWX1630

Have you considered using a custom credential type? Make it inject your vault pass into the file vault_pass.txt.

I think that should work and solve your issue. As to the broader question of revoking a setting defined in settings.cfg, that would take more thought as to the implementation and would need to be filed with Ansible core.

AlanCoding picture AlanCoding on 26 Mar 2018
👎3 😕1

I think this probably comes down to ansible's preference in the matter and I don't see us being able to actually override this.

@AlanCoding provided you with a workaround

matburt picture matburt on 2 Apr 2018

Have you considered using a custom credential type? Make it inject your vault pass into the file vault_pass.txt.

I don't understand the workaround; custom credentials can only inject into temporary files (AFAIK), not the specific file required by the ansible.cfg and you are not allowed to set the ANSIBLE_VAULT_PASSWORD_FILE env. If AWX used that instead of --vault-pasword-file wouldn't that fix the issue.

JamesUoM picture JamesUoM on 25 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Gui13 picture Gui13  路  3Comments
IshwarKanse picture IshwarKanse  路  3Comments
pebbledavec picture pebbledavec  路  3Comments
beenje picture beenje  路  3Comments
cs35-owncloud picture cs35-owncloud  路  3Comments