In order to improve my AWX management for my team, i’m currently trying to configure Hashicorp Vault Credentials but i’m having some errors and doubt.
Usually in my Ansible project I run from a Debian server, I’m used to set up Vault secrets using lookup like this (works in var file or within vars:)
### Vault Configuration
ansible_hashi_vault_token="{{ lookup('env','VAULT_ANSIBLE') }}"
my_secret="{{ lookup('community.hashi_vault.vault_kv2_get', 'my_secret', engine_mount_point='kv/', token=ansible_hashi_vault_token) }}"
#### Credentials (compte de service ansible) ####
ansible_user="{{ my_secret.secret.ansible_user_from_vault}}"
Ansible will seek for an environment variable which is called ‘VAULT_ANSIBLE’ that is the result token of an AppRole call to my vault server. It allows to run playbook without writing any token in the code.
Now after adding project in AWX, i’m trying to make the Vault part working =>
-
I created Credentials with HashiCorp Vault Secret Lookup as you can see here. Simply add Server URL + Token for testing.
-
When I click on Test, no matter what secrets I want to retrieve I always have this error
Here’s my questions :
- which log file can give me more information about the credentials/api call to Vault?
- Is there any thing I miss for this peculiar configuration ? I tried to add my root.CA in the corresponding field, but still the same error.
- is there a proper way/another way to use Vault lookup within AWX ?
I saw on many forum that people are creating custom Credential Types, then use an Injector to use vault lookup.
Thanks a lot for your help
Gael
EDIT 12 12 2023
Found the logs (using kubectl logs my-pod) corresponding to the Test credential. Seems to be a django Bad Request but don’t know how to investigate that;
2023-12-12 14:40:40,628 WARNING [4fdf7cfc36804499b34fa50a28369fb7] awx.api.generics status 400 received by user admin attempting to access /api/v2/credentials/5/test/ from 10.10.10.10
2023-12-12 14:40:40,635 WARNING [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
2023-12-12 14:40:40,635 WARNING [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
10.10.10.10 - - [12/Dec/2023:14:40:40 +0000] "POST /api/v2/credentials/5/test/ HTTP/1.1" 400 21 "https://my-awx.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" "10.230.173.133"
[pid: 23|app: 0|req: 228/1089] 172.20.245.206 () {72 vars in 2440 bytes} [Tue Dec 12 14:40:40 2023] POST /api/v2/credentials/5/test/ => generated 21 bytes in 76 msecs (HTTP/1.1 400) 14 headers in 598 bytes (1 switches on core 0)
2
Answers
After many tests and troubleshoot, finally ends up with a working solution :
SSLError
toHTTP 404
I perform some other test without certificate and I have SSLError everytime.
Conclusion : you should provide your custom CA content or as a file in the credentials settings.
Is there a specific underlying AWX Setup to get this done? I have AWX community edition running Openshift via the corresponding Operator on Verison 2.0.
I always get django Bad Request regardless if I provide certificates or not.