Enabling HashiCorp Vault Lookups in Ansible AWX – Part 2

Earlier in the year, I wrote about how to create a Python virtual environment on Ansible AWX to run the HashiCorp lookup module.

The last task is to create the credentials to support the Vault lookup, followed by configuring the necessary variables in the inventory.

Credentials

Now we have our created our virtual environment and configured it in the system settings, we need to create our HashiCorp credentials.

To do this, select the Credential Types from the left-hand menu and create a new one. Give it a name and use the following input configuration:

fields:
id: vault_server
type: string
label: URL for Vault Server
id: vault_token
type: string
label: Vault Token
secret: true
required:
vault_server
vault_role_id
vault_secret_id

Use the following for the injector configuration:

env:
VAULT_ADDR: '{{ vault_server }}'
VAULT_ROLE_ID: '{{ vault_role_id }}'
VAULT_SECRET_ID: '{{ vault_secret_id }}'

When complete click Save.

Please note: in the examples above I am using an AppRole in Vault.

Again, on the left-hand menu, create a new credential and set the type to the one you created above. Give it a name, select the organization, and enter the Vault address, role ID and secret ID. Finally, click Save.

Inventory

The last piece of the puzzle is to enable the actual lookup. Our Vault is configured with the following path:

creds/production/{{ inventory_hostname }}

Under Production, there is a secret for each Ansible host, and each secret has a key for the Administrator/root password.

Create an inventory and add some hosts.  You may find it easier to group these.

Either at the individual host or group level, add the following variable string to enable lookups to HashiCorp Vault (substitute accordingly):

ansible_become_password: "{{ lookup('hashi_vault', 'secret=creds/production/{{ inventory_hostname }}:Password')}}"
ansible_become_method: su

view raw
lookup.yml
hosted with ❤ by GitHub

I have a group for my Linux hosts and have applied it there.

To verify it works correctly create a template in AWX using the following playbook:

hosts: Linux
gather_facts: true
tasks:
name: Upgrade all yum packages
yum:
name: "*"
state: latest
become: yes

view raw
yumUpdates.yml
hosted with ❤ by GitHub

Important: as well as selecting the machine credential you normally connect to machines with, you also need to select the HashiCorp credential you created above:

Please note: set your template to Check unless you want all your packages to update!

Your template (playbook) will now run, and when the time comes to “become” root, AWX will reach out to Vault to retrieve the root credential and proceed.

Happy automating!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.