Awx: Allow overriding vault_password_file path

Created on 21 Jan 2020  路  9Comments  路  Source: ansible/awx
ISSUE TYPE
  • Bug Report
SUMMARY

I ran into an issue with AWX that was documented here: https://github.com/ansible/awx/issues/1630

Unfortunately, it was closed without being properly resolved. I talked to @bcoca about it and he explained to me that all ansible.cfg settings can be overridden by cli or env vars which is also how AWX overrides things.

TL;DR;: please make this setting overridable as well, because right now, you need to decide between workstation convenience of not having to type the password on every run or having your playbooks work in AWX.

ENVIRONMENT
  • AWX version: 9.1.1
  • AWX install method: docker on linux
  • Ansible version: 2.8.5
  • Operating System: CentOS 8
  • Web Browser: Firefox
STEPS TO REPRODUCE

Add a vault_password_file entry to your ansible.cfg that points to a file which exists on your workstation but not on AWX. Set vault credentials for a template using the related project in AWX.

EXPECTED RESULTS

The playbook runs using the vault credentials provided by AWX credential store.

ACTUAL RESULTS

The AWX job fails right away and tells you: ERROR! The vault password file /var/lib/awx/<your path here> was not found

P.S.: would be great if whoever fixes this could also trigger some development in AWX in case that's necessary.

bug
Source
picture tumbl3w33d

Most helpful comment

I'm not sure what you mean. You should be able to use vault_password_file under AWX... as long as the file is available at playbook run time

That's the point - to exist there, it would need to be part of the repo (which cannot work, because if the secret is there, vault makes no sense) or "deployed" as part of the AWX installation, which makes it 1) hard to maintain and 2) accessible to any playbook. However, if I could ask AWX to create a file with the configured vault credential at playbook execution time, that would also work.

My vault_password_file usually points to a location that exists only on dev workstations (convention), where the playbooks are created/maintained.

picture tumbl3w33d on 24 Jan 2020
👍2

All 9 comments

We would only override the vault_password_file configuration if AWX was putting vault passwords in a specific file; since that's not how AWX works, we must assume that any config item set in anslbie.cfg is intentional.

wenottingham picture wenottingham on 24 Jan 2020

Damn, I actually wanted to create this in the ansible core repo, not in AWX. Anyway, why would you close the issue without providing a solution? Did you understand the described scenario or should I try to explain it differently?

An attempt: there is no way how you can use this property vault_password_file in the ansible.cfg of a repository that you wanna use in AWX as well and that means you have to always type the secret on every run which is more than tedious for development of your playbooks.

Plus, as @bcoca pointed out, this seems to be the only property that cannot be overridden which is why he also considers it a bug. I'd understand if you would tell me that this ticket belongs in core rather than AWX though.

tumbl3w33d picture tumbl3w33d on 24 Jan 2020

I'm not sure what you mean. You should be able to use vault_password_file under AWX... as long as the file is available at playbook run time. We're actually trying to move away from transparently overriding config items as much as possible - we have to assume in the general case that if a setting is set, it is meant.

wenottingham picture wenottingham on 24 Jan 2020

I'm not sure what you mean. You should be able to use vault_password_file under AWX... as long as the file is available at playbook run time

That's the point - to exist there, it would need to be part of the repo (which cannot work, because if the secret is there, vault makes no sense) or "deployed" as part of the AWX installation, which makes it 1) hard to maintain and 2) accessible to any playbook. However, if I could ask AWX to create a file with the configured vault credential at playbook execution time, that would also work.

My vault_password_file usually points to a location that exists only on dev workstations (convention), where the playbooks are created/maintained.

tumbl3w33d picture tumbl3w33d on 24 Jan 2020
👍2

Is there a work around for this?

misilot picture misilot on 26 Aug 2020

The workaround would be remove this in your ansible.cfg then create a credential with vault as a type on the UI then attach this credential to your job template that need this credential, a bit annoying but not really a big deal to say the least

hellracer picture hellracer on 1 Sep 2020

i'm about to file this as the same bug, but i stumble upon this and i think as long as some workaround exist it's ok and this is very a subtle bug imho

hellracer picture hellracer on 1 Sep 2020

@hellracer, so I would need to maintain two repos of playbooks one for running directly as a user and another for use with AWX?

misilot picture misilot on 1 Sep 2020

We are also affected by this issue.

hjkatz picture hjkatz on 30 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gamuniz picture gamuniz  路  3Comments
IshwarKanse picture IshwarKanse  路  3Comments
FloThinksPi picture FloThinksPi  路  3Comments
augabet picture augabet  路  3Comments
Gui13 picture Gui13  路  3Comments