Enabling HashiCorp Vault Lookups in Ansible AWX

Recently I’ve decided to change how I retrieve privilege escalation credentials for production hosts added to Ansible AWX. When I first started out I only had a few machines, so the root/Administrator credential was defined on each host. Whilst this approach is fine for a limited amount

of hosts, it isn’t scalable. Therefore in an effort to increase security and I decided to leverage my HashiCorp Vault implementation.

However, before we can use the HashiCorp Vault lookup plugin we need to prepare our installation. As AWX is based on Docker containers, additional work is required.

Please note: this post is about getting to a place where you can perform the lookup. I’ll write a follow-up piece on how to actually do it at a later date.

Getting Started

Become root on your AWX host and install a Python Virtual Environment:

yum install -y virtualenv

Create a new Python virtual environment (substitute accordingly):

virtualenv /opt/my-envs/hobbitcloud
python3 -m venv /opt/my-envs/hobbitcloud

Install necessary modules:

/opt/my-envs/hobbitcloud/bin/pip install psutil

Install the HVAC module:

/opt/my-envs/hobbitcloud/bin/pip install -U hvac

Install the HVAC Parser:

/opt/my-envs/hobbitcloud/bin/pip install -U hvac[parser]

Containers

List your Docker containers to get the ID of awx_task and awx-web:

docker ps

This will list your AWX containers. Take a note of the container ID for the awx_task and awx_web containers:

Copy the virtual environment to each container (substitute accordingly):

docker cp hobbitcloud 53ced1648e06:/var/lib/awx/venv/hobbitcloud
docker cp hobbitcloud ac7f9867a735:/var/lib/awx/venv/hobbitcloud

In AWX, modify the system configuration (under Settings / System ) to list your new environment:

That’s it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.