I'm working with Ansible Tower and using Vault credential.
When I launch it using the graphical interface of Ansible Tower (I add the credential when it's prompted), it work well.
When I try with the tower-cli line, I get this message:
{"failed": true, "msg": "Decryption failed (no vault secrets would found t
hat could decrypt)"
I found that I need to add something like --ask-vault-pass but it is listed as an unknown argument when I add to my tower-cli line, so it work only with ansible-playbook command.
How can I ask for vault password with tower-cli?
Thanks in advance.
Please take note that there is a difference between Ansible Engine, the command line tools ansible for ad-hoc commands and ansible-playbook for executing playbooks, and Ansible Tower. According the documentation Ansible Tower is
a GUI and REST interface for Ansible that supercharges it by adding RBAC, centralized logging, autoscaling/provisioning callbacks, graphical inventory editing, and more ... tower-cli is a command line tool for Ansible Tower. It allows Tower commands to be easily run from the Unix command line
As you have already found out
I need to add something like --ask-vault-pass but it is listed as an unknown argument when I add to my tower-cli ... it work only with ansible-playbook command
this is the expected behavior.
The solution lays in the way you have described
When I launch it using the graphical interface of Ansible Tower (I add the credential when it's prompted), it work well
For further automation you will need to configure your Ansible Tower Credentials store and setup a credential of type Vault. Based on the there stored password, AWX will forward the vault password to Ansible Engine. Ansible Engine will then use that password to unlock the vault and your playbook can run.
Further Q&A
Ansible AWX / Tower - Use Vault credential in playbook
Ansible Tower - How to pass Machine credentials as an extra vars to the job template?
Related
I am using Ansible AWX for the first time. My goal is to use AWX for pinging a Dev VM. When I used WSL Ubuntu, I was able to configure my Kerberos config file by typing sudo nano /etc/krb5.conf.
Here is how my file looks:
[libdefaults]
default_realm=PACIFIC.NXTTRAVEL.COM
allow_weak_cryot=true
dns_lookup_realm=true
dns_lookup_kdc=true
rdns=false
ticket_lifetime=24h
renew_lifetime=7d
forwardable=true
forward=true
[realms]
NXTTRAVEL.COM={
kdc=us03p01v00v0077.PACIFIC.NXTTRAVEL.COM
admin_server=us03p01v00v0077.PACIFIC.NXTTRAVEL.COM
}
[domain_realm]
.pacific.NXTTRAVEL.com=PACIFIC.NXTTRAVEL.COM
pacific.NXTTRAVEL.com=PACIFIC.NXTTRAVEL.COM
I am unable to identify how would I do this using AWX. I reviewed the documentation and understood I will be setting up credentials of type machine but unsure how the other configuration here is suppose to be done using AWX. Can someone please provide me a hint?
Solution:
Docker runs AWX itself.
But when you launch a job template AWX talks to receptor.
Receptor spins up a container from your EE and then runs the playbook inside the EE container.
So you can create a custom EE based off the default one with anything additional required for Kerberos (like your conf file).
Then add the EE into AWX and apply it to your job template. Now when AWX runs the playbook receptor will start your new EE with
the kerb5.conf file installed
I have a playbook I am writing that automates the install of firmware to our fleet of C2960Xs.
I recently moved the location of the Ansible server I am using from my homelab to a VM in Azure. We have security rules on our sites to only allow remote connection on a specific non-default port. After reading, I discovered that means I need to use libssh and not paramiko for remote commands.
I have a specific task I am running, and when running it returns:
fatal: [HOSTNAME]: FAILED! => {
"msg": "The conditional check 'ansible_net_filesystems_info['flash:'].spacefree_kb >
firmware_image_size' failed. The error was: error while evaluating
conditional (ansible_net_filesystems_info['flash:'].spacefree_kb >
firmware_image_size): 'ansible_net_filesystems_info' is undefined" }
I then compared the 'before' and 'after' for what facts are being stored at the beginning of the playbook. I found that using Paramiko, I seem to have a TON more detail compared to the facts being gathered via libssh.
One of which being the variable ansible_net_filesystems_info that my playbook references.
Is there a workaround for this process? The idea being to verify there is free space on the switch before moving an archive to the switch for unzipping.
Under the cisco.ios.ios_facts documentation, you can specify the types of facts you want to pull. I added the line: >gather_subset: all
I came across a code as;
- pip: name=ansible version=<ansible_version> extra_args='--ignore-installed'
During my test I confirmed the upgrade of Ansible version.
I also tried this with raw module;
- raw: pip install ansible==<ansible_version>
but the following tasks after this fails during playbook execution. There are various types of errors:
ImportError: cannot import name AnsiblePlugin
TypeError: mkdtemp() takes at most 4 arguments (5 given)
...
or playbook execution even hangs on next task.
I wonder is it really possible to upgrade version of Ansible by using ansible-playbook execution itself. Would it be possible by reloading Ansible core modules somehow after Ansible version upgrade?
Ansible can be upgraded via pip module of Ansible itself, but any subsequent tasks might fail after the upgrade, this is a natural behavior.
Only exception is remote host here. If your installation or upgrade of Ansible is performed by an Ansible task which is executed on a remote host, it would proceed without causing a failure. Because in this scenario, actual installation of Ansible is done on remote host without updating any configuration of Ansible on localhost.
I have the following set-up:
A script updatecreds.py runs, which updates AWS credentials in my Ansible creds file using STS.
Now, I took those creds to run AWS-related tasks in Ansible, and they run smoothly. But, the CLI commands give me an error.
When I use the same credentials in the ~/.aws/config file, I get the following error when executing CLI commands: A client error (InvalidClientTokenId) occurred when calling the ListAccessKeys operation: The security token included in the request is invalid.
As some of my Ansible tasks run shell commands which are AWS cli commands, this behaviour is messing with my Ansible run too.
Why is AWS behaving so weirdly? Or did I do something wrong here?
PS : My ~/.aws/config looks like this:
[default]
aws_access_key_id=<>
aws_secret_access_key=<>
aws_session_token=<>
region=us-east-1
There is a confusion in session/security terms, see this issue.
To make both boto and aws cli work correctly, duplicate them:
[default]
aws_access_key_id=KEY
aws_secret_access_key=SECRET
aws_session_token=TOKEN
aws_security_token=TOKEN
region=REGION
Try without
aws_session_token=<>
Mine works fine with only aws_access_key_id and aws_secret_access_key in ~/.aws.credentials
Ansible unlike chef and puppet uses agent less run .
I would like to know is there any ansible remote client so that we can connect to fleet of ansible control machines to execute ansible playbooks on their respective targets .
I am looking for a command line cliient similar to following
ansible-execute hostname_of_control_machine username_of_control_machine password_of_control_machine inventory_file playbook_name
Please suggest if any ?
There is nothing preventing you from using Ansible to run Ansible on other machines. The Python API might be a good place to start, as you can get programmatic control over the initial Ansible runner.
You can do this with SSH
ssh username#controlmachine 'ansible-playbook yourPlaybook.yml