awx icon indicating copy to clipboard operation
awx copied to clipboard

Published 20 hours ago verified publisher icon ansible

Update of machine credential fails if both ssh key and passphrase are in key vaults

Open Klaas- opened this issue 1 year ago • 5 comments

Please confirm the following

  • [X] I agree to follow this project's code of conduct.
  • [X] I have checked the current issues for duplicates.
  • [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.

Bug Summary

when using a ssh key with a passphrase saving them both in vault only works on creation, it won't allow saving the credential after it's initial creation.

For simplicity this bug is shown here via UI, but I am also getting an error on the API when I use awx.awx.credential

AWX version

21.13.0

Select the relevant components

  • [ ] UI
  • [X] API
  • [ ] Docs
  • [ ] Collection
  • [ ] CLI
  • [ ] Other

Installation method

kubernetes

Modifications

no

Ansible version

core 2.13.3

Operating system

RHEL8

Web browser

Firefox

Steps to reproduce

  1. Create a machine credential using a ssh key with a passphrase, both coming from a key vault (in my case azure key vault, but I don't think that makes a difference).
  2. Edit the newly created machine credential
  3. Try to save (no need to change anything, just hit save)

Creation will work, subsequent edits and saves via UI will not be possible

Expected results

Save works

Actual results

Save is not permitted with error message "must be set when SSH key is encrypted." beneath the Private Key Passphrase field

Additional information

I am guessing https://github.com/ansible/awx/blob/7deddabea60166ca8808509756a080d63cffa97e/awx/main/fields.py#L640

value.get('ssh_key_unlock') only works for strings set in awx directly.

I can use the created credential fine, so it's just a problem with the credential editing/saving part.

Klaas- avatar Mar 20 '23 13:03 Klaas-

Hi @Klaas- , We are so sorry to hear that you are having trouble! It doesn't look like your screenshot came through when this issue was created. Would you mind adding that in so that we can see what that looks like? Thank you for your time!

djyasin avatar Mar 22 '23 17:03 djyasin

Hi @djyasin , I did not post any screenshots, there is not a lot of information there, it just shows the error while saving in red :) I had someone from irc/matrix verify it on their system to make sure it's not just me :)

Klaas- avatar Mar 30 '23 14:03 Klaas-

@Klaas- Thank you for providing this additional clarification. We will do some more investigating around this on our end.

djyasin avatar Apr 26 '23 15:04 djyasin

@Klaas- Hello, in the latest version of AWX (24.3.1) I have an MS-AKV credential created and I can test both from that credential, and when using lookups to create credentials successfully.

When trying to use a secret from the key vault to be the Private key SSH password, I get an issue when trying to save the newly created Machine Credential, it fails with a "must be set when SSH key is encrypted" error. The Private key (RSA 4096) is not coming from the Key Vault if that matters.

I see you stated that you can create the machine credential but cannot edit it, so I am curious if there is anything special about how this is done to simply create the key, as I cannot get that to successfully work as it keeps throwing the error.

GiuffreLab avatar May 09 '24 17:05 GiuffreLab

I can't answer that question :) it worked like I described it on 21.13.0 -- but essentially the workaround is either don't use a ssh key password or save it in AWX and not a keyvault.

Klaas- avatar May 09 '24 17:05 Klaas-