Ansible AWX Plugin - secret fetch via playbook

using Ansible AWX with Akeyless Vault for storing credentials.

This article uses the Vault Secret Lookup plugin for Ansible AWX.

There are two main parameters used to configure the connection to Akeyless - the URL, and a Token for access.

The lookup plugin uses these via the environment variables VAULT_ADDR and VAULT_TOKEN.

Prepare AWX Environment

Clone the latest stable version of the project and check all the dependencies as mentioned in the getting started section:

git clone -b <x.y.z> https://github.com/ansible/awx.git

Choose the desired deployment platform, the following guide will describe the use of Docker Compose:

sudo mkdir /root/.awx/awxcompose
sudo ansible-playbook -i inventory install.yml

Configure Akeyless Platfrom Settings

On AWX UI, navigate to Resources and create new Credentials. Select HashiCorp Vault Secret Lookup as your Credentials Type and set the SERVER URL to https://hvp.akeyless.io or work directly with your Gateway URL on port 8200:

You can either use Akelyess API Key in the following format as your Token:

A concatenation of your Access ID and your Access Key with two dots as a delimiter:
< Access ID >..< Access Key >, For example:p-jjdbbkbd..njRThf894chsBXnuh

Alternatively, to extract your authorization tokens directly using the Akelyess CLI auth command as part of your workflow variables :

VAULT_TOKEN=$(akeyless auth --access-id "Access ID" --access-type="Auth Method type" --json true | awk '/token/ { gsub(/[",]/,"",$2); print $2}')
2878

To fetch a secret from the Akeyless platform, for example, for AWX Tower credentials that will be used to establish a remote connection to an AWX node, create a new Credentials and set the Credentials Type as Ansible Tower:

2872

You can now select to populate the Username and Password fields from an external Secret Management system.

2878

Static Secrets

To work with Static secrets, the Path to Secret should be in this format for KV 1:

secret/data/<Full Secret Name>, where the Key Name in the returned JSON name is data.

For example, let's create a secret:

akeyless create-secret -n /DevOps/Ansible -v 'AkeylessIsGr8'

The Key name should be set to data and the Path is secret/data/DevOps/Ansible.

2878

In case the secret value itself is a JSON-structured object, the Path must be in the following format:

secret/<Full Secret Name>, without the data/ prefix, you can use the internal JSON keys as the Key Names for example, let's create a secret that contains a JSON-structured value:

akeyless create-secret -n /DevOps/AnsibleJson -v '{"username":"john","password":"secret"}'

The Key names can be: username and password where the Path is secret/DevOps/AnsibleJson

2874

To work with KV 2 use the following format:

To fetch the secret /DevOps/Ansible :

The Path is secret/DevOps/Ansible, where the Key in the returned JSON name is DevOps/Ansible without the / prefix.

2876

For example, to fetch the secret /DevOps/AnsibleJson :

The Path should be secret/DevOps/AnsibleJson, and the Key name should be set with the relevant JSON keys.

Dynamic Secrets

To use your Ansible Plugin to fetch Dynamic Secrets:

The Path should be in the following format: <Dynamic Secret type>/creds/<Full Secret Name>

The returned JSON object will have keys named password and username.e.g.

{
  "password": "BbDUelj%Z1~UH1YS",
  "username": "tmp_ProdDB_p-csdsffer"
}

In this example, we are fetching a dynamic secret named /databases/Mysql using MySQL Dynamic Secrets.

2878