djangoansiblehashicorp-vaultansible-awx

AWX + Hashicorp Vault django.request Bad Request


In order to improve my AWX management for my team, i'm currently trying to configure Hashicorp Vault Credentials but i'm having some errors and doubt.

Usually in my Ansible project I run from a Debian server, I'm used to set up Vault secrets using lookup like this (works in var file or within vars:)

### Vault Configuration
ansible_hashi_vault_token="{{ lookup('env','VAULT_ANSIBLE') }}"

my_secret="{{ lookup('community.hashi_vault.vault_kv2_get', 'my_secret', engine_mount_point='kv/', token=ansible_hashi_vault_token) }}"

#### Credentials (compte de service ansible) ####
ansible_user="{{ my_secret.secret.ansible_user_from_vault}}"

Ansible will seek for an environment variable which is called 'VAULT_ANSIBLE' that is the result token of an AppRole call to my vault server. It allows to run playbook without writing any token in the code.

Now after adding project in AWX, i'm trying to make the Vault part working =>

  1. I created Credentials with HashiCorp Vault Secret Lookup as you can see here. Simply add Server URL + Token for testing. enter image description here

  2. When I click on Test, no matter what secrets I want to retrieve I always have this error enter image description here

Here's my questions :

I saw on many forum that people are creating custom Credential Types, then use an Injector to use vault lookup.

Thanks a lot for your help Gael

EDIT 12 12 2023 Found the logs (using kubectl logs my-pod) corresponding to the Test credential. Seems to be a django Bad Request but don't know how to investigate that;

2023-12-12 14:40:40,628 WARNING  [4fdf7cfc36804499b34fa50a28369fb7] awx.api.generics status 400 received by user admin attempting to access /api/v2/credentials/5/test/ from 10.10.10.10
2023-12-12 14:40:40,635 WARNING  [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
2023-12-12 14:40:40,635 WARNING  [4fdf7cfc36804499b34fa50a28369fb7] django.request Bad Request: /api/v2/credentials/5/test/
10.10.10.10 - - [12/Dec/2023:14:40:40 +0000] "POST /api/v2/credentials/5/test/ HTTP/1.1" 400 21 "https://my-awx.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" "10.230.173.133"
[pid: 23|app: 0|req: 228/1089] 172.20.245.206 () {72 vars in 2440 bytes} [Tue Dec 12 14:40:40 2023] POST /api/v2/credentials/5/test/ => generated 21 bytes in 76 msecs (HTTP/1.1 400) 14 headers in 598 bytes (1 switches on core 0)

Solution

  • After many tests and troubleshoot, finally ends up with a working solution :

    1. I provided the root + intermediate certificate as a pem file in the credentials settings (be careful to have the correct cert, in the correct order, in pem format : intermediate + root

    enter image description here

    I perform some other test without certificate and I have SSLError everytime.

    1. Don't forget to select v2 for the API version in credentials settings enter image description here

    Conclusion : you should provide your custom CA content or as a file in the credentials settings.