AWX Key-Value Secret Setup

From Bitbull Wiki
Revision as of 16:57, 21 March 2022 by Chris (talk | contribs) (Created page with "=Overview= * Version: awx 20.0.1 HowTo store key-value secrets in awx and pass them to the playbooks =AWX Configuration= ==Credential Type== * AWX > Administration > Credenti...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

1 Overview

  • Version: awx 20.0.1

HowTo store key-value secrets in awx and pass them to the playbooks

2 AWX Configuration

2.1 Credential Type

  • AWX > Administration > Credential Types > Add
    • Name: kv
    • Input configuration: YAML
fields:
  - id: username
    type: string
    label: Username
  - id: password
    type: string
    label: Password
    secret: true
required:
  - username
  - password
    • Injector configuration: YAML
extra_vars:
  KV_PASSWORD: '{{ password }}'
  KV_USERNAME: '{{ username }}'

2.2 Create Test Credential

  • AWX > Resources > Credentials > Add
    • Name: test-kv
    • Type: kv
    • Username: myuser
    • Password: mypass

2.3 Create Demo Playbook

Create Project with Github Repo and load it into AWX

  • AWX > Resources > Projects > Add
  • Name: Bitbull Ops
  • var_secret.yml
---
- hosts: linux.domain.local
  tasks:
  - name: debug vars
    debug:
      msg: "key1: {{ key1 }} --- value1: {{ value1 }}"
...

2.4 Create Template Job

  • AWX > Resources > Templates > Add > Job Template
    • Name: DEBUG Variables
    • Project: Bitbull Ops
    • Playbook: var_secret.yml
    • Credentials: "YOUR SSH CREDS" + "test-kv"
    • Variables: YAML
---
key1: "{{ KV_USERNAME }}"
value1: "{{ KV_PASSWORD }}"

2.4.1 Run Playbook

Output example:

Enter passphrase for /runner/artifacts/228/ssh_key_data: 
Identity added: /runner/artifacts/228/ssh_key_data (xxxxx)

PLAY [linux.domain.local] **************************************************

TASK [Gathering Facts] *********************************************************
ok: [linux.domain.local]

TASK [debug vars] **************************************************************
ok: [linux.domain.local] => {
    "msg": "key1: myuser -- value1: mypass"
}

PLAY RECAP *********************************************************************
linux.domain.local     : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0