Awx: Cannot add inventory source encrypted with vault

Created on 31 Jul 2018  路  7Comments  路  Source: ansible/awx
ISSUE TYPE
  • Bug Report
COMPONENT NAME
  • API
  • UI
SUMMARY

I am not sure this is a bug or not, but I cannot add an inventory with source encrypted by vault.

ENVIRONMENT
  • AWX version: 2.5.4
  • AWX install method: docker for mac
  • Ansible version: 2.5.4
  • Operating System: Mac OS
  • Web Browser: Google Chrome
STEPS TO REPRODUCE

  1. Create a playbook project in Github with inventory located at inventories/production/hosts.yml . I also have host_var located at inventories/production/host_vars/server/vars.yml and inventories/production/host_vars/server/vault.yml where vault.yml is encrypt with password from prompt.

  2. Create a playbook production.yml at home directory.

  3. Create a project in awx using this source.

  4. Create an inventory and create an inventory source from the project.

EXPECTED RESULTS
ACTUAL RESULTS

In Inventory source page, If I click Credential, there will be a prompt show "NO CREDENTIALS HAVE BEEN CREATED". When I try synchronizing the source, the job will run with error "ERROR! Attempting to decrypt but no vault secrets found"

ADDITIONAL INFORMATION

I've try adding a Vault credential in the job template and run the production.yml playbook, but It still showing error that variables inside vault.yml is not defined.

picture vietthang207
👍2

Most helpful comment

After reading https://github.com/ansible/awx/issues/223, this issue and the explication on serverfault (https://serverfault.com/questions/878320/how-to-use-existing-vault-files-in-ansible-tower), I too feel that this issue should be reopen as awx still doesn't support importing inventories that are using whole vault encrypted files.

Encrypting using the whole file was and still is a best practice documented here: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#variables-and-vaults

As pointed in https://github.com/ansible/awx/issues/223#issuecomment-369306829 the issue relies with the behavior of ansible-inventory which fails when not able to decrypt vault file.
Should an option made available in ansible-inventory to ignore variables in vault files without failing? Thus allowing the import of inventories without vaulted variables.

picture Perdjesk on 30 Oct 2018
2

All 7 comments

See https://github.com/ansible/awx/issues/223, if you get this to work, you'll need at least Ansible 2.6, and there could be other nuances to the implementation you're attempting.

AlanCoding picture AlanCoding on 2 Aug 2018
😕1

Hi @AlanCoding ,

I am running Ansible 2.6 and struggling with that encrypted vault-topic the same way the colleague @vietthang207 did. In details my exact failure is: https://serverfault.com/questions/878320/how-to-use-existing-vault-files-in-ansible-tower

I've seen many open threads regarding this topic. Is there a documented way how it works with ansible 2.6.5?

n0l0cale

n0l0cale picture n0l0cale on 16 Oct 2018

I walked through some relevant steps in a comment in #223, but it has gotten a little buried by now. Anyway, I went ahead and replied at serverfault.

AlanCoding picture AlanCoding on 16 Oct 2018

thanks :)

n0l0cale picture n0l0cale on 16 Oct 2018

@AlanCoding
I think we should reopen this bug-thread as state in the serverfault thread and continue to handle this as a separate issue.

The clear definition would be that we would like to open vault-protected host_vars/group_vars by defining a yaml - e.g. group_var, which could be itself encrypted by a vault-protected with another passphrase, which then could be defined in the job template

n0l0cale picture n0l0cale on 17 Oct 2018

After reading https://github.com/ansible/awx/issues/223, this issue and the explication on serverfault (https://serverfault.com/questions/878320/how-to-use-existing-vault-files-in-ansible-tower), I too feel that this issue should be reopen as awx still doesn't support importing inventories that are using whole vault encrypted files.

Encrypting using the whole file was and still is a best practice documented here: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#variables-and-vaults

As pointed in https://github.com/ansible/awx/issues/223#issuecomment-369306829 the issue relies with the behavior of ansible-inventory which fails when not able to decrypt vault file.
Should an option made available in ansible-inventory to ignore variables in vault files without failing? Thus allowing the import of inventories without vaulted variables.

Perdjesk picture Perdjesk on 30 Oct 2018
2

Should an option made available in ansible-inventory to ignore variables in vault files without failing? Thus allowing the import of inventories without vaulted variables.

That wouldn't be great behavior IMO. In that case, you really don't know what variables you're missing, and we would at least need to warn the user, and we don't have any logging mechanism for doing this, so it has to just fail.

Regarding:

I too feel that this issue should be reopen as awx still doesn't support importing inventories that are using whole vault encrypted files.

Yes, we are aware that this is a shortcoming, and is an open potential feature. The enhancement would be, speaking specifically, _decryption of whole-file vault secrets in inventory imports_.

AlanCoding picture AlanCoding on 30 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

IMOKURI picture IMOKURI  路  3Comments
cs35-owncloud picture cs35-owncloud  路  3Comments
astraios picture astraios  路  3Comments
pebbledavec picture pebbledavec  路  3Comments
artmakh picture artmakh  路  3Comments