controller_configuration icon indicating copy to clipboard operation
controller_configuration copied to clipboard

Published 20 hours ago verified publisher icon redhat-cop

Specifying credentials in workflow nodes fails when template has default credentials configured

Open Endemoniada opened this issue 1 year ago • 1 comments

Summary

I have a template, along with multiple SSH credentials for different environments, and a Vault Key credential. The template is configured to ask for credentials, with our test environment SSH credential pre-configured as default, along with the Vault key, so that you could simply change the default test credential to another environment as needed.

I then want to have a workflow that runs the aforementioned template, and configure the template workflow node with a specific credential. However, when I do this, the creation of that node fails because it isn't allowed to specify multiple credentials of the same type (they also show as radio buttons in AAP GUI), even though the AAP GUI establishes that credential choices should be overridable.

Issue Type

  • Bug Report

Ansible, Collection, Controller details

Ansible Automation Platform Controller 4.5.0

OS / ENVIRONMENT

Red Hat (not my deployment, don't have access to details)

Desired Behavior

It should be possible for workflow nodes to override credentials for a template with "ask credentials" enabled, the same way it's possible in the AAP GUI where it simply changes one for the other when selecting a new credential item of the same type.

Actual Behavior

The workflow node creation fails:

Failed to associate item {'msg': 'Related template already uses test-remoteuser credential.'}

STEPS TO REPRODUCE

These are the important parts of the template and workflow definitions

name: 'do-stuff template'

# Basic configuration
credentials:
  - 'test-remoteuser'  # type 'Machine'
  - 'Vault Key'  # type 'Vault'

# Options
ask_credential_on_launch: true

name: 'prod workflow'

simplified_workflow_nodes:

  - all_parents_must_converge: false
    identifier: "prod env node"
    unified_job_template: 'do-stuff template'
    inventory: "prod env inventory"
    credentials:
      - 'prod-remoteuser'
      - 'Vault Key'

So, the template configured credentials by default for our "test" environment, but the workflow node would like to change them to the "prod" environment, but it will fail because even though ask_credential_on_launch is enabled and allows the credentials to be changed, it cannot actually change or overwrite existing credentials.

Workaround

I found a workaround for the issue, which is to temporarily edit the templates to not have any configured credentials at all, then run the workflow node creation, then restore the templates. After this, even re-running the workflow configuration passes, because the configuration of the workflow nodes is the same and doesn't need to be changed. Running the workflow also now works as expected, it replaces the default credentials of the template at workflow node start, just like it would if launching the template manually through AAP GUI or via API.

Endemoniada avatar Feb 09 '24 09:02 Endemoniada

I believe this is a missing feature in the modules itself which we just utilize here and until it is added at the module level we cannot add this option

djdanielsson avatar Feb 14 '24 14:02 djdanielsson