Recently I’ve decided to change how I retrieve privilege escalation credentials for production hosts added to Ansible AWX. When I first started out I only had a few machines, so the root/Administrator credential was defined on each host. Whilst this approach is fine for a limited amount
of hosts, it isn’t scalable. Therefore in an effort to increase security and I decided to leverage my HashiCorp Vault implementation.
However, before we can use the HashiCorp Vault lookup plugin we need to prepare our installation. As AWX is based on Docker containers, additional work is required.
Please note: this post is about getting to a place where you can perform the lookup. I’ll write a follow-up piece on how to actually do it at a later date.
Become root on your AWX host and install a Python Virtual Environment:
yum install -y virtualenv
Create a new Python virtual environment (substitute accordingly):
virtualenv /opt/my-envs/hobbitcloud python3 -m venv /opt/my-envs/hobbitcloud
Install necessary modules:
/opt/my-envs/hobbitcloud/bin/pip3 install psutil
Install the HVAC module:
/opt/my-envs/hobbitcloud/bin/pip3 install -U hvac
Install the HVAC Parser:
/opt/my-envs/hobbitcloud/bin/pip3 install -U hvac[parser]
List your Docker containers to get the ID of awx_task and awx-web:
This will list your AWX containers. Take a note of the container ID for the awx_task and awx_web containers:
Copy the virtual environment to each container (substitute accordingly):
docker cp hobbitcloud 53ced1648e06:/var/lib/awx/venv/ docker cp hobbitcloud ac7f9867a735:/var/lib/awx/venv/
In AWX, modify the system configuration (under Settings / System ) to list your new environment: