azure
azure copied to clipboard
ansible-collections
Inventory Plugin ignores ANSIBLE_AZURE_AUTH_SOURCE, AZURE_CLIENT_ID env variables
SUMMARY
When setting the environment variable ANSIBLE_AZURE_AUTH_SOURCE the inventory plugin ignores the setting and reverts to using the auto auth source which if nothing else is set, reverts to cli.
Also, when setting auth_source: msi we should also be able to set the AZURE_CLIENT_ID environment variable to tell the auth mechanism which user assigned identity to use (if multiple set) when authenticating with managed identities.
ISSUE TYPE
- Bug Report
COMPONENT NAME
plugin: azure.azcollection.azure_rm
ANSIBLE VERSION
ansible 2.9.27
config file = /opt/ansible-repo/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/stackstorm/virtualenvs/ansible/lib/python3.8/site-packages/ansible
executable location = /opt/stackstorm/virtualenvs/ansible/bin/ansible
python version = 3.8.10 (default, Sep 28 2021, 16:10:42) [GCC 9.3.0]
COLLECTION VERSION
v1.10.0
CONFIGURATION
ANSIBLE_PIPELINING(/opt/ansible-repo/ansible.cfg) = True
COLLECTIONS_PATHS(/opt/ansible-repo/ansible.cfg) = ['/root/.ansible/collections', '/opt/ansible-repo/collections']
DEFAULT_FORKS(/opt/ansible-repo/ansible.cfg) = 50
DEFAULT_HOST_LIST(/opt/ansible-repo/ansible.cfg) = ['/opt/ansible-repo/hosts']
DEFAULT_LOOKUP_PLUGIN_PATH(/opt/ansible-repo/ansible.cfg) = ['/root/.ansible/plugins/lookup', '/usr/share/ansible/plugins/lookup', '/opt/ansible-repo/lookup_plugins']
DEFAULT_ROLES_PATH(/opt/ansible-repo/ansible.cfg) = ['/root/.ansible/roles', '/opt/ansible-repo/roles']
DEFAULT_SCP_IF_SSH(/opt/ansible-repo/ansible.cfg) = True
DEFAULT_TIMEOUT(/opt/ansible-repo/ansible.cfg) = 30
HOST_KEY_CHECKING(/opt/ansible-repo/ansible.cfg) = False
HOST_PATTERN_MISMATCH(/opt/ansible-repo/ansible.cfg) = ignore
INVENTORY_ENABLED(/opt/ansible-repo/ansible.cfg) = ['amazon.aws.aws_ec2', 'amazon.aws.aws_rds', 'azure.azcollection.azure_rm', 'constructed', 'ini', 'yaml', 'host_list']
RETRY_FILES_SAVE_PATH(/opt/ansible-repo/ansible.cfg) = /root
OS / ENVIRONMENT
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
STEPS TO REPRODUCE
Inventory Plugin Example
---
plugin: azure.azcollection.azure_rm
# auth_source: cli # Set this with environment variable ANSIBLE_AZURE_AUTH_SOURCE
include_vm_resource_groups:
- '*'
hostnames:
- default
exclude_host_filters:
- powerstate != 'running'
hostvar_expressions:
ansible_host: private_ipv4_addresses | first
Environment Variables
export ANSIBLE_AZURE_AUTH_SOURCE=msi
export AZURE_CLIENT_ID=<user assigned client id>
Playbook
---
- hosts: all
tasks:
- name: Ping hosts
ping:
EXPECTED RESULTS
I would expect the inventory plugin to use MSI authentication with the AZURE_CLIENT_ID specified in the environment variable.
ACTUAL RESULTS
MSI authentication is being ignored and it fails to find any authentication mechanisms if the azure cli is not logged in.
Using /opt/ansible-repo/ansible.cfg as config file
[WARNING]: * Failed to parse /opt/ansible-repo/inventory/ops-az/azure_rm.yml with ansible_collections.azure.azcollection.plugins.inventory.azure_rm plugin: Failed to get credentials. Either pass as parameters, set environment
variables, define a profile in ~/.azure/credentials, or log in with Azure CLI (`az login`).
The same problem exists with auth_source: env. Setting environment variables AZURE_CLIENT_ID, AZURE_SECRET, AZURE_TENANT and AZURE_SUBSCRIPTION_ID leads to warning messages and then reverts to cli auth, as mentioned above.
Tested with ansible 2.12.1 and azcollection 1.10.0
hi, any news on this? on azure.azcollection 1.12.0 this problems seems to be still there
Thanks
@testotxt #713 still needs to be improved, it can't be merged yet! Thank you very much!
@testotxt #713 still needs to be improved, it can't be merged yet! Thank you very much!
@Fred-sun, I've added test cases to the PR. Can we review it again to see if we can merge this in? Thanks!