Ansible Tower (AWX) - using secure variables in a playbook?

Question

Greeting everyone, I've recently started messing with Ansible (in particular Ansible Tower). I ran into an issue using secure values in my playbook, more accurate, I didn't understand how to use it correctly.

Compared to Chef-Infra, you could use data_bags in order to store your secure credentials. You create a data bag:

knife data bag create testDataBag 

You would create a json file for a data bag item:

{
    "id": "preproduction",
    "user": "user1",
    "password": "this-is-a-password"
}

Upload it to the Chef server while encrypting it with a secret file (which exists the target server):

knife data bag from file testDataBag .\testDataBag\preproduction.json --secret-file .\secret-file

and then you can use it in your cookbook:

userinfo = data_bag_item('testDataBag', preproduction)
userinfo['user'] # "user1"
userinfo['password'] # "this-is-a-password"

An example use case - configuring the password for a Linux user.

userinfo = data_bag_item('testDataBag', preproduction)
user "#{userinfo['user']}" do
  comment 'A random user'
  home "/home/#{userinfo['user']}"
  shell '/bin/bash'
  password "userinfo['password']"
end

I know this is a lot of information but I just wanted to show how I'm used to use secure credentials. Back to Ansible, I understood there is an ansible-vault tool which I can used to encrypt a variable file that later can be used in a playbook. Sadly the only examples I've seen (or maybe I just didn't notice) include only running playbooks from the command line which is not something I do.

I have a playbook in my GIT repository which is connected to a project in my Ansible Tower. What do I need to do in order to get to the point I can use a variable which contains the password?

• Encryption is the same? by using ansible-vault?
• Where do I store the encrypted files? (Specifically in Ansible Tower)
• How to store the vault passwords (the one you use to decrypt a vault-id)?
• How to access them in my playbook?

I've looked into those links but I couldn't find anything interesting:

https://docs.ansible.com/ansible/latest/user_guide/vault.html

https://docs.ansible.com/ansible/latest/user_guide/playbooks_vault.html

https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#variables-and-vaults

And in the Ansible Tower documentation there is no explanation on how and where to store your vault-ids.

If anymore information is needed please tell me, I'll update my post.

Thanks everyone!

Answer 1

As far as I know you have two options to achieve this in AWX/Tower, depending on where you want those secrets stored.

1. Creating a vault within your project/GIT repo

• Use "ansible-vault create" command and select a password
• Save the credentials within the vault in yaml format and commit/push the changes to git
• On your playbook add an include_vars to your vault file and commit/push to git
• In Tower create a credential, select type=Vault and add the password for your vault
• On your Tower template add the credential you created earlier

2. Use a custom credential type (this will not save the creds in git at all, they will just live on Tower/AWX)

• Create a new custom credential type with an injector configuration type of "extra_vars" and the credentials you want to include as variables in your playbook.
• Then create a credential based on the new credential type you created in the previous step.
• Now assign that credential to your template, and those variables will just be available in your playbook run.

Here are the details on how to create a custom credential type

https://docs.ansible.com/ansible-tower/latest/html/userguide/credential_types.html