AWX / AAP Integration#
Vault Setup#
Vault Policies#
Teams are responsible for setting up policies to give ansible access to specific secrets or paths. Use this terraform or the following CLI commands to setup a role to read any secrets at secret/ansible/*. Depending on which option you use, there are two different paths that will be needed.
vault policy write approle_ansible_access_policy - <<EOF
# Required path for community.hashi_vault.hashi_vault & Tower HashiCorp Vault Secret Lookup
path "secret/data/ansible/*" {
capabilities = ["read"]
}
# Required path for community.hashi_vault.vault_kv2_get lookup
path "secret/ansible/*" {
capabilities = ["read"]
}
EOF
Approle#
To create an approle, run this terraform or use the following CLI command and associate the policy that you created in the last step:
vault write auth/approle/role/ansible \
token_policies="default,approle_ansible_access_policy"
role_id & secret_id#
Ansible will use a role_id & secret_id to authenticate to vault. The example terraform will automatically display the role_id, and you can run terraform output secret_id to obtain the secret_id. For production, the following CLI commands should likely be used instead so the secret_id is not stored to the terraform state.
# Read role-id
vault read auth/approle/role/ansible/role-id
# Create a secret-id
vault write -f auth/approle/role/ansible/secret-id
AWX / AAP Setup#
Use one of these methods to integrate with AWX/AAP
AWX / AAP Credential#
This example utilizes the HashiCorp Vault Secret Lookup AWX Tower Credential Plugin
-
Navigate to AWX Tower>Credentials>Add
-
Fill out the following information (all other fields can be left blank):
- Name i.e. secm_hcp_plugin_credential
- Description i.e. Approle for AWX plugin to connect to Vault
- Organization Your team's AWX Tower organization
- Credential Type HashiCorp Vault Secret Lookup
- Server URL https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200
- AppRole role_id role_id retrieved from vault when creating approle
- AppRole secret_id secret_id retrieved from vault when creating approle
- Namespace name admin/
or admin/ / (i.e. admin/secmoradmin/iam/appsec) - Path to Auth approle
- API Version v2
-
Click the Test button to test the credential
-
You can now use this plugin to retrieve secrets values for other credential types. The following steps are for the UMN custom Single Secret credential type, but this can be used for other credential types as well.
-
Navigate to AWX Tower>Credentials>Add
-
Fill out the following information (all other fields can be left blank):
- Name i.e. secm_hcp_plugin_credential
- Description i.e. Approle for AWX plugin to connect to Vault
- Organization Your team's AWX Tower organization
- Credential Type Single Secret Credential
- single_secret Click the key icon
- Select the name of the plugin credential created in step 2
- Path to Secret secret/ansible/test
- Key Name pizza
-
Associate that newly created credential from step 6 to your tower template
-
Use this example playbook to print the test credential.
Ansible Community Collection#
This example utilizes the community.hashi_vault ansible collection.
Note
To run locally with user permissions, see this article
-
Navigate to AWX Tower>Credentials>Add
-
Fill out the following information:
- Name i.e. secm_hcp_credential
- Description i.e. Approle for ansible to connect to Vault
- Organization Your team's AWX Tower organization
- Credential Type UMN HCP Vault
- ansible_hashi_vault_role_id role_id retrieved from vault in previous section
- ansible_hashi_vault_secret_id secret_id retrieved from vault in previous section
- ansible_hashi_vault_namespace admin/CESI or admin/CESI/subteam (i.e.
admin/secmoradmin/iam/appsec)
-
Associate that newly created credential to your tower template
-
Select the
devex-eeExecution Environment for your template (it has thecommunity.hashi_vaultcollection and other prerequisites) -
Use the community.hashi_vault ansible collection. See this example playbook.