Recently I’ve decided to change how I retrieve privilege escalation credentials for production hosts added to Ansible AWX. When I first started out I only had a few machines, so the root/Administrator credential was defined on each host. Whilst this approach is fine for a limited amount

of hosts, it isn’t scalable. Therefore in an effort to increase security and I decided to leverage my HashiCorp Vault implementation.

However, before we can use the HashiCorp Vault lookup plugin we need to prepare our installation. As AWX is based on Docker containers, additional work is required.

Please note: this post is about getting to a place where you can perform the lookup. I’ll write a follow-up piece on how to actually do it at a later date.

Getting Started

Become root on your AWX host and install a Python Virtual Environment:

yum install -y virtualenv

Create a new Python virtual environment (substitute accordingly):

virtualenv /opt/my-envs/hobbitcloud
python3 -m venv /opt/my-envs/hobbitcloud

Install necessary modules:

/opt/my-envs/hobbitcloud/bin/pip3 install psutil

Install the HVAC module:

/opt/my-envs/hobbitcloud/bin/pip3 install -U hvac

Install the HVAC Parser:

/opt/my-envs/hobbitcloud/bin/pip3 install -U hvac[parser]

Containers

List your Docker containers to get the ID of awx_task and awx-web:

docker ps

This will list your AWX containers. Take a note of the container ID for the awx_task and awx_web containers:

Copy the virtual environment to each container (substitute accordingly):

docker cp hobbitcloud 53ced1648e06:/var/lib/awx/venv/
docker cp hobbitcloud ac7f9867a735:/var/lib/awx/venv/

In AWX, modify the system configuration (under Settings / System ) to list your new environment:

That’s it!