awx icon indicating copy to clipboard operation
awx copied to clipboard

Published 20 hours ago verified publisher icon ansible

Adding vault KV backed machine credential and prompting for ssh key unlock process is awkward and painful

Open omgjlk opened this issue 5 years ago • 7 comments

ISSUE TYPE
  • Bug Report
SUMMARY

The process to create and configure a machine credential programmatically is kind of awkward. As I understand it, one must:

  • Create a Vault KV credential (must use awx cli, or curl directly)
  • Create a machine credential with minimal data (name, kind, description, org, username) (can use tower_credential, awx cli, or curl directly)
  • Update the machine credential to set credential_input_sources to use the previously created Vault KV credential (must use awx cli or curl directly)
  • Update the machine credential to prompt for ssh key passphrase

This can all work via automation (Ansible itself) the first time though, and it results in a functional credential set. However the trouble is with the second run of the automation (hey it should be able to be run a bunch of times right?). The second step from above is ran and results in attempting to edit the machine credential, and seems to attempt to remove the "prompt for ssh key passphrase" setting, but does not remove the configured input source for ssh_key data. This throws an error: Response: {\"inputs\":{\"ssh_key_unlock\":[\"must be set when SSH key is encrypted.\"]}}

ENVIRONMENT
  • AWX version: 7.0.0 (patched with https://github.com/ansible/awx/pull/4807 )
  • AWX install method: docker on linux
  • Ansible version: 2.8.4
  • Operating System: Debian Stretch
  • Web Browser: Safari
STEPS TO REPRODUCE

See the above summary.

EXPECTED RESULTS

I would like to be able to automate creation and updating of these credentials. I'd prefer not to have to jump through a bunch of hoops, checking to see if the credential exists before creating it for the first time with empty data.

ACTUAL RESULTS

Errors, unless I only do the initial creation once.

ADDITIONAL INFORMATION

I realize that this is new feature and functionality, and that I'm making it more complicated by wanting to prompt for the SSH key unlock passphrase. I'm happy to work with developers on testing possible solutions. I can share my automation too if desired, once scrubbed of sensitive data.

omgjlk avatar Oct 02 '19 02:10 omgjlk