Ansible AWX Plugin - secret fetch via playbook

using Ansible AWX with Akeyless Vault for storing credentials.

There are two main parameters used to configure the connection to Akeyless - the URL, and a Token for access.
These are used by the lookup plugin via the environment variables VAULT_ADDR and VAULT_TOKEN.

Tokens are the output of a successful authentication, you can either use Akelyess API Key in the following format as your token:

👍

The Token value can be a concatenation of your Access ID and your Access Key in the following format:
< Access ID >..< Access Key >

For example:p-jjdbbkbd..njRThf894chsBXnuh

Alternatively, to extract your authorization tokens directly using the Akelyess CLI auth command:

VAULT_TOKEN=$(akeyless auth --access-id "Access ID" --access-type="Auth Method type" --json true | awk '/token/ { gsub(/[",]/,"",$2); print $2}')

Prepare AWX Environment

Clone the project and check all the dependencies as mentioned in the getting started section: https://github.com/ansible/awx/blob/devel/INSTALL.md#getting-started

Run compose docker (run sudo ansible-playbook -i inventory install.yml): https://github.com/ansible/awx/blob/devel/INSTALL.md#docker-compose

Note: you might need to run ‘sudo mkdir /root/.awx/awxcompose’

Configure Akeyless Vault Settings

Create a new project:

16001600

Set the SERVER URL to https://hvp.akeyless.io or work directly with your Gateway URL on port 8200:

16521652

Create a new Ansible AWX credential (make sure you have a secret named test):

16001600

📘

Please note

The username & password in the Ansible AWX credential (depicted above) are related to connecting hosts. These credentials are not relevant in our example. For further reading - https://docs.ansible.com/ansible-tower/3.5.1/html/userguide/credentials.html#ansible-tower

612612

📘

Vault directory fetching (path/to/dir/*)

Only first level files in the directory will be fetched.
Only static secret will be shown.
If there are two secrets with the same key in the json it will be overridden (secret1:{"hello":"world"} & secret2:{"hello":"world2"}====>the result will contain one of the secrets).
If secret /path/to/secret has non json value: v1, vault will return the following response {"/path/to/secret":"v1"}.

Create new template:

16001600

Launch the template:

16001600

Fetching all secrets from a folder

For fetching all secrets in folder named "keys":

17721772

When fetching “secret/data/keys/*” in the Ansible AWX credentials:

25362536