Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does Ansible expose its auto-discovered Python interpreter?

Tags:

python

ansible

tl;dr: Does Ansible have a variable containing the current Python interpreter?

As part of my playbook, I am creating a Python script on the controller (to be run by another command), and I want that script to be run by the Python interpreter being used by Ansible. To do this I am trying to set the interpreter in the shebang of the script.

If I were to set the interpreter manually, I could use the ansible_python_interpreter variable (and I have had it working that way). If I don't set the interpreter manually, then Ansible will auto-discover an interpreter, but I can no longer use the ansible_python_interpreter variable because it is not set.

From looking through the documentation I have been unable to find any way to see which interpreter Ansible has auto-detected. Is there something I've missed?

(Ansible version 2.9.10, Python 3.6)


The complete situation:

I am running Ansible on AWX (open-source Ansible Tower), using a custom virtual environment as the runner. I use Hashicorp Vault as a secret management system, rather than keeping secrets in AWX. For access to Vault I use short-lived access tokens, which doesn't work well with AWX's built-in support for pulling secrets from Vault, so instead I do it manually (so that I can supply a Vault token at job launch time). That works well for me, generally.

In this particular case, I am running ansible-vault (yes, there are too many things called 'vault') on the controller to decrypt a secret. I am using the --vault-password-file argument to supply the decryption password via a script. Since the virtual env that I am using already has the hvac package installed, I wish to just use a brief Python script to pull the password from Hashicorp Vault. All works fine, except that I can't figure out how to set the shebang on this script to point at the virtual environment that Ansible is using.

If I can't get a useable answer to this, I suppose I can change to instead pull the password directly into Ansible and then use the --ask-vault-pass flag to pass the password that way. It just seems to me that the interpreter should really be exposed somewhere by Ansible, so I'm trying that first.

like image 261
lxop Avatar asked Jul 21 '20 21:07

lxop


1 Answers

As described in Special Variables ansible_playbook_python variable holds the path to python interpreter being used by Ansible on the controller.

like image 153
Moon Avatar answered Sep 23 '22 09:09

Moon