Saving encrypted credentials is another cool feature in Ansible Tower / AWX. By default, there are a lot of custom credential types available, and a lot are added each release upgrade. With using these securely saved credentials, you don’t have to set plain text credentials in your playbooks and scripts.
Contents
Using credentials in playbooks and job templates
By default, it is possible to map different credentials to a job template. When you use multiple credentials in one template, you can get these mapped credentials by using the injector env variables. For “network” credentials, for example, you can use the following variables:
1 2 3 |
vars: CredUname: '{{ lookup("env", "ANSIBLE_NET_USERNAME") }}' CredPW: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}' |
Adding credentials to a Job Template
Create custom credential
If the default credential types are not suitable, you can also add custom credential types.
In this example, I will create a custom credential to integrate AWX with Zabbix.
The input configuration
In this section, you can define the variables which needed to be filled in for creating a new credential. So basically the fields needed to create a secure credential. Description of each field which can be used:
- id: Your unique field ID for describing the field.
- type: The field type, like: string or int
- label: Just a label for your field.
- secret: Does the value need to be encrypted? Mostly used for sensitive information like passwords, keys or personal data.
- help_text: For giving some more help about the field.
- multiline: If your field needs to be bigger than one line. This is handy for certificates, for example.
Zabbix example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
fields: - id: ZABBIX_USERNAME type: string label: Username - id: ZABBIX_PASSWORD type: string label: Password secret: true - id: ZABBIX_SERVER type: string label: ZabbixServer required: - ZABBIX_USERNAME - ZABBIX_PASSWORD - ZABBIX_SERVER |
The Injector Configruation
In this section, you need to configure how the variables can be used or injected while executing the playbook. The following variables can used here:
- env: This will add your values as environment variables into your execution environment. You can use these variables in playbooks or custom python/powershell modules.
1 2 |
Playbook: '{{ lookup("env", "ZABBIX_USERNAME") }}' Python: os.environ.get("ZABBIX_USERNAME") |
- extra_vars: If defined you can use these variables in your playbooks.
1 |
"{{ VZABBIX_USERNAME }}" |
- file: Using the variable as a file in the playbook.
1 |
"{{ lookup('file', 'FZABBIX_USERNAME') }}" |
Example:
1 2 3 4 5 6 7 8 |
env: ZABBIX_SERVER: '{{ ZABBIX_SERVER }}' ZABBIX_PASSWORD: '{{ ZABBIX_PASSWORD }}' ZABBIX_USERNAME: '{{ ZABBIX_USERNAME }}' extra_vars: VZABBIX_USER: '{{ ZABBIX_USERNAME }}' VZABBIX_PASSWORD: '{{ ZABBIX_PASSWORD }}' VZABBIX_SERVER: '{{ ZABBIX_SERVER }}' |