skip to Main Content

In order to improve my AWX management for my team, i’m currently trying to configure Hashicorp Vault Credentials but i’m having some errors and doubt.

Usually in my Ansible project I run from a Debian server, I’m used to set up Vault secrets using lookup like this (works in var file or within vars:)

### Vault Configuration
ansible_hashi_vault_token="{{ lookup('env','VAULT_ANSIBLE') }}"

my_secret="{{ lookup('community.hashi_vault.vault_kv2_get', 'my_secret', engine_mount_point='kv/', token=ansible_hashi_vault_token) }}"

#### Credentials (compte de service ansible) ####
ansible_user="{{ my_secret.secret.ansible_user_from_vault}}"

Ansible will seek for an environment variable which is called ‘VAULT_ANSIBLE’ that is the result token of an AppRole call to my vault server. It allows to run playbook without writing any token in the code.

Now after adding project in AWX, i’m trying to make the Vault part working =>

  1. I created Credentials with HashiCorp Vault Secret Lookup as you can see here. Simply add Server URL + Token for testing.
    enter image description here

  2. When I click on Test, no matter what secrets I want to retrieve I always have this error
    enter image description here

Here’s my questions :

  • which log file can give me more information about the credentials/api call to Vault?
  • Is there any thing I miss for this peculiar configuration ? I tried to add my root.CA in the corresponding field, but still the same error.
  • is there a proper way/another way to use Vault lookup within AWX ?

I saw on many forum that people are creating custom Credential Types, then use an Injector to use vault lookup.

Thanks a lot for your help
Gael

EDIT 12 12 2023
Found the logs (using kubectl logs my-pod) corresponding to the Test credential. Seems to be a django Bad Request but don’t know how to investigate that;

2023-12-12 14:40:40,628 WARNING  [4fdf7cfc36804499b34fa50a28369fb7] awx.api.generics status 400 received by user admin attempting to access /api/v2/credentials/5/test/ from 10.10.10.10
2023-12-12 14:40:40,635 WARNING  [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
2023-12-12 14:40:40,635 WARNING  [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
10.10.10.10 - - [12/Dec/2023:14:40:40 +0000] "POST /api/v2/credentials/5/test/ HTTP/1.1" 400 21 "https://my-awx.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" "10.230.173.133"
[pid: 23|app: 0|req: 228/1089] 172.20.245.206 () {72 vars in 2440 bytes} [Tue Dec 12 14:40:40 2023] POST /api/v2/credentials/5/test/ => generated 21 bytes in 76 msecs (HTTP/1.1 400) 14 headers in 598 bytes (1 switches on core 0)

2

Answers


  1. Chosen as BEST ANSWER

    After many tests and troubleshoot, finally ends up with a working solution :

    1. I provided the root + intermediate certificate as a pem file in the credentials settings (be careful to have the correct cert, in the correct order, in pem format : intermediate + root
    • From this, it moves from SSLError to HTTP 404
    • After some tests the perfect setting to make it work was this one

    enter image description here

    I perform some other test without certificate and I have SSLError everytime.

    1. Don't forget to select v2 for the API version in credentials settings enter image description here

    Conclusion : you should provide your custom CA content or as a file in the credentials settings.


  2. Is there a specific underlying AWX Setup to get this done? I have AWX community edition running Openshift via the corresponding Operator on Verison 2.0.

    I always get django Bad Request regardless if I provide certificates or not.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search