Ansible AWX Plugin - secret fetch via playbook

using Ansible AWX with Akeyless Vault for storing credentials.

This article uses the Vault Secret Lookup plugin for Ansible AWX.

There are two main parameters used to configure the connection to Akeyless - the URL, and a Token for access.

The lookup plugin uses these via the environment variables VAULT_ADDR and VAULT_TOKEN.


Did you know?

Akeyless developed API compatibility with Hashicorp Vault OSS, enabling the use of Vault OSS community plugins for both Static & Dynamic Secrets, you can find more information here

Prepare AWX Environment

Clone the latest stable version of the project and check all the dependencies as mentioned in the getting started section:

git clone -b <x.y.z>

Choose the desired deployment platform, the following guide will describe the use of Docker Compose:

sudo mkdir /root/.awx/awxcompose
sudo ansible-playbook -i inventory install.yml

Configure Akeyless Platfrom Settings

On AWX UI, navigate to Resources and create new Credentials. Select HashiCorp Vault Secret Lookup as your Credentials Type and set the SERVER URL to or work directly with your Gateway URL on port 8200:

You can either use Akelyess API Key in the following format as your Token:

A concatenation of your Access ID and your Access Key with two dots as a delimiter:
< Access ID >..< Access Key >, For example:p-jjdbbkbd..njRThf894chsBXnuh

Alternatively, to extract your authorization tokens directly using the Akelyess CLI auth command as part of your workflow variables :

VAULT_TOKEN=$(akeyless auth --access-id "Access ID" --access-type="Auth Method type" --json true | awk '/token/ { gsub(/[",]/,"",$2); print $2}')

To fetch a secret from the Akeyless platform, for example, for AWX Tower credentials that will be used to establish a remote connection to an AWX node, create a new Credentials and set the Credentials Type as Ansible Tower:

You can now select to populate the Username and Password fields from an external Secret Management system.

Static Secrets

To work with Static secrets, the Path to Secret should be in this format for KV 1:

secret/data/<Full Secret Name>, where the Key Name in the returned JSON name is data.

For example, let's create a secret:

akeyless create-secret -n /DevOps/Ansible -v 'AkeylessIsGr8'

The Key name should be set to data and the Path is secret/data/DevOps/Ansible.

In case the secret value itself is a JSON-structured object, the Path must be in the following format:

secret/<Full Secret Name>, without the data/ prefix, you can use the internal JSON keys as the Key Names for example, let's create a secret that contains a JSON-structured value:

akeyless create-secret -n /DevOps/AnsibleJson -v '{"username":"john","password":"secret"}'

The Key names can be: username and password where the Path is secret/DevOps/AnsibleJson

To work with KV 2 use the following format:

To fetch the secret /DevOps/Ansible :

The Path is secret/DevOps/Ansible, where the Key in the returned JSON name is DevOps/Ansible without the / prefix.

For example, to fetch the secret /DevOps/AnsibleJson :

The Path should be secret/DevOps/AnsibleJson, and the Key name should be set with the relevant JSON keys.

Dynamic Secrets

To use your Ansible Plugin to fetch Dynamic Secrets:

The Path should be in the following format: <Dynamic Secret type>/creds/<Full Secret Name>

The returned JSON object will have keys named password and username.e.g.

  "password": "BbDUelj%Z1~UH1YS",
  "username": "tmp_ProdDB_p-csdsffer"

In this example, we are fetching a dynamic secret named /databases/Mysql using MySQL Dynamic Secrets.