Skip to content

Ansible AWX Secrets

Credentials in Ansible AWX define how AWX authenticates against other systems. They contain the necessary information, like usernames, passwords, SSH keys, and more.

Provided Credentials Types

Ansible AWX comes with several out of the box credential types, such as:

  • CyberArk Application Identity Manager (AIM)
  • CyberArk Conjur
  • HashiCorp Vault Key-Value Store (KV)
  • HashiCorp Vault SSH Secrets Engine
  • Microsoft Azure Key Management System (KMS)
  • Ansible Vault

Demo:

  • Create a Vault Credential, Resources -> Credentials -> Add
    • Name: {{ initials }} Nautobot Vault
    • Credential Type: Vault
    • Vault Password: ntc123
  • Save the credential
  • Create the Job Template, Resources -> Templates -> Add -> Add Job Template
    • Name: {{ initials }} Nautobot Vault Job
    • Inventory: Project Inventory
    • Project: ntcu [ssh]
    • Playbook: ansible/job-templates/nautobot-with-vault.yml
    • Credentials:
      • Selected Category: Vault
      • Name: {{ initials }} Nautobot Vault
  • Save the Job Template
  • Launch the Job Template

Provided Credentials Types - LAB

Run through the demo yourself, then remove the credential and and ensure it fails.

Custom Credential Types

Credential types consist of two key concepts - "inputs" and "injectors".

Inputs define the value types that are used for this credential - such as a username, a password, a token, or any other identifier that's part of the credential.

Injectors describe how these credentials are exposed for Ansible to use - this can be Ansible extra variables, environment variables, or templated file content.

To put another way, there is a small data structure that defines what secrets you have and then a choice to output those secrets as extra_vars, envrionment variables, or templated content.

Here is the potential keys for the inputs data structure.

{
  "fields": [{
    "id": "api_token",               # required - a unique name used to
                                     # reference the field value

    "label": "API Token",            # required - a unique label for the
                                     # field

    "help_text": "User-facing short text describing the field.",

    "type": ("string" | "boolean")   # defaults to 'string'

    "choices": ["A", "B", "C"]       # (only applicable to `type=string`)

    "format": "ssh_private_key"      # optional, can be used to enforce data
                                     # format validity for SSH private key
                                     # data (only applicable to `type=string`)

    "secret": true,                  # if true, the field value will be encrypted

    "multiline": false               # if true, the field should be rendered
                                     # as multi-line for input entry
                                     # (only applicable to `type=string`)
},{
    # field 2...
},{
    # field 3...
}],

"required": ["api_token"]            # optional; one or more fields can be marked as required
},

As an example, you can have:

fields:
  - type: string
    id: username
    label: Subscription manager username
  - type: string
    id: password
    label: "Subscription manager password"
    secret: True
required:
  - username
  - password

Here is an example of the potential outputs. 

---
file:
  template: "[mycloud]\ntoken={{ api_token }}"

env:
  THIRD_PARTY_CLOUD_API_TOKEN: "{{ api_token }}"

extra_vars:
  some_extra_var: "{{ username }}:{{ password }}"

Demo:

  • Create a Credential Type, Administration -> Credential Types -> Add
    • Name: {{ initials }} Nautobot Environment Credential Type
    • Input configuration: (See fields key below)
    • Injector configuration: (See env key below)
  • Create a Vault Credential, Resources -> Credentials -> Add
    • Name: {{ initials }} Nautobot Environment
    • Credential Type: {{ initials }} Nautobot Environment Credential Type
    • Token for Nautobot: nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  • Save the credential
  • Create the Job Template, Resources -> Templates -> Add -> Add Job Template
    • Name: {{ initials }} Nautobot Environment Job
    • Inventory: Project Inventory
    • Project: ntcu [ssh]
    • Playbook: ansible/job-templates/nautobot-with-environment-variables.yml
    • Credentials:
      • Selected Category: {{ initials }} Nautobot Environment Credential Type
      • Name: `{{ initials }} Nautobot Environment
  • Save the Job Template
  • Launch the Job Template
fields:
  - type: string
    id: nautobot_token
    label: "Token for Nautobot"
    secret: True
required:
  - nautobot_token

env:
  NAUTOBOT_TOKEN: '{{ nautobot_token }}'

Custom Credentials Types - LAB

Run through the demo yourself, then remove the credential and and ensure it fails.