Skip to content

AWX Tower Secret Plugin#

This example utilizes the HashiCorp Vault Secret Lookup AWX Tower Credential Plugin

Note

There are two ways to retrieve Hashicorp Vault secrets for AWX Tower. To see the other option, reference Ansible Lookup

See this example terraform repository to setup approle authentication for ansible to connect to vault

Vault Policies#

Team's are responsible for setting up policies to give ansible access to specific secrets or paths. Use this terrraform or the following CLI commands to setup a role to read any secrets at secret/ansible/*. Depending on which lookup module you use, there are two different paths that will be needed.

Bash
vault policy write approle_ansible_access_policy - <<EOF
# Required path for community.hashi_vault.hashi_vault & Tower HashiCorp Vault Secret Lookup
path "secret/data/ansible/*" {
  capabilities = ["read"]
}

# Required path for community.hashi_vault.vault_kv2_get lookup
path "secret/ansible/*" {
  capabilities = ["read"]
}
EOF

Approle#

In order for ansible to connect to vault, it must authenticate. One option for authentication is an approle. To create an approle, run this terrraform or use the following CLI command and associate the policy that you created in the last step:

Bash
vault write auth/approle/role/ansible \
  token_policies="default,approle_ansible_access_policy"

role_id & secret_id#

Ansible will use a role_id & secret_id to authenticate to vault. The example terraform will automatically display the role_id, and you can run terraform output secret_id to obtain the secret_id. For production, the following CLI commands should likely be used instead so the secret_id is not stored to the terraform state.

Bash
# Read role-id
vault read auth/approle/role/ansible/role-id

# Create a secret-id
vault write -f auth/approle/role/ansible/secret-id

AWX Tower Integration#

  1. Navigate to AWX Tower>Credentials>Add

  2. Fill out the following information (all other fields can be left blank):

    • Name i.e. secm_hcp_plugin_credential
    • Description i.e. Approle for AWX plugin to connect to Vault
    • Organization Your team's AWX Tower organization
    • Credential Type HashiCorp Vault Secret Lookup
    • Server URL https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200
    • AppRole role_id role_id retrieved from vault in previous section
    • AppRole secret_id secret_id retrieved from vault in previous section
    • Namespace name admin/CESI or admin/CESI/subteam (i.e. admin/secm or admin/iam/appsec)
    • Path to Auth approle
    • API Version v2

  3. Click the Test button to test the credential

    AWX Tower Vault Plugin Test

  4. You can now use this plugin to retrieve secrets values for other credential types. The following steps are for the UMN custom Single Secret credential type, but this can be used for other credential types as well.

  5. Navigate to AWX Tower>Credentials>Add

  6. Fill out the following information (all other fields can be left blank):

    • Name i.e. secm_hcp_plugin_credential
    • Description i.e. Approle for AWX plugin to connect to Vault
    • Organization Your team's AWX Tower organization
    • Credential Type Single Secret Credential
    • single_secret Click the key icon
      • Select the name of the plugin credential created in step 2
      • Path to Secret secret/ansible/test
      • Key Name pizza

  7. Associate that newly created credential from step 6 to your tower template

  8. Use this example playbook to print the test credential.