Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault encrypted secrets in the inventory source not working when nested in lists #2226

Closed
aldobongio opened this issue Sep 5, 2018 · 5 comments
Closed

Vault encrypted secrets in the inventory source not working when nested in lists #2226

aldobongio opened this issue Sep 5, 2018 · 5 comments
Labels
component:api type:bug

Comments

@aldobongio
Copy link

ISSUE TYPE
  • Bug Report
COMPONENT NAME
  • API
SUMMARY

Experimenting with #223 I noticed a strange behaviour related to vaulted variables on lists, where the decryption is not performed. The behaviour can be observed on AWX only: running the playbook directly on Ansible the decryption works.

ENVIRONMENT
  • AWX version: 1.0.7.2
  • AWX install method: docker on linux
  • Ansible version: 2.6.2
  • Operating System: Ubuntu 18.04
  • Web Browser:
STEPS TO REPRODUCE

I have an host vars file with the same secret in 3 different situations:

password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  35626564383635616564393862313733656232303436633532313137313238653964363263386336
  3766633032643332666465663730336536333531633730320a303761666136643366373436636430
  65396637613439383761356130663161396533326637353335623333353964383832353566313366
  3038653039306136650a643735376563666363376661313561623337666238613832656636643463
  3234
foo:
  password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    35626564383635616564393862313733656232303436633532313137313238653964363263386336
    3766633032643332666465663730336536333531633730320a303761666136643366373436636430
    65396637613439383761356130663161396533326637353335623333353964383832353566313366
    3038653039306136650a643735376563666363376661313561623337666238613832656636643463
    3234
bar:
  baz:
  - password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      35626564383635616564393862313733656232303436633532313137313238653964363263386336
      3766633032643332666465663730336536333531633730320a303761666136643366373436636430
      65396637613439383761356130663161396533326637353335623333353964383832353566313366
      3038653039306136650a643735376563666363376661313561623337666238613832656636643463
      3234

A simple playbook can be run, with 3 debug tasks:

  - debug:
      msg: 'password {{ password }}'
  - debug:
      msg: 'foo.password: {{ foo.password }}'
  - debug:
      msg: "bar.baz[0].password: {{ bar.baz[0].password }}"
EXPECTED RESULTS

The expected result, obtained using plain Ansible 2.6.2 without AWX, is the following:

TASK [debug] ***********************************************************************************************************
ok: [myhost] => {
    "msg": "password MyPassword"
}

TASK [debug] ***********************************************************************************************************
ok: [myhost] => {
    "msg": "foo.password: MyPassword"
}

TASK [debug] ***********************************************************************************************************
ok: [myhost] => {
    "msg": "bar.baz[0].password: MyPassword"
ACTUAL RESULTS

The result obtained by running the 3 tasks on a Job Template from AWX is the following, and the problem seems related to the vaulted variable nested in the list:

TASK [debug] *******************************************************************
ok: [myhost] => {
    "msg": "password MyPassword"
}
TASK [debug] *******************************************************************
ok: [myhost] => {
    "msg": "foo.password: MyPassword"
}
TASK [debug] *******************************************************************
ok: [myhost] => {
    "msg": "bar.baz[0].password: {u'__ansible_vault': u'$ANSIBLE_VAULT;1.1;AES256\\n35626564383635616564393862313733656232303436633532313137313238653964363263386336\\n3766633032643332666465663730336536333531633730320a303761666136643366373436636430\\n65396637613439383761356130663161396533326637353335623333353964383832353566313366\\n3038653039306136650a643735376563666363376661313561623337666238613832656636643463\\n3234'}"
}
ADDITIONAL INFORMATION

Waiting for a fix, a workaround to force the decryption of the 3rd password would be appreciated
@AlanCoding
Copy link
Member

I have an host vars file with the same secret in 3 different situations:

Would you mind providing more detail on your directory structure? I'm reading that you probably put a host_vars folder next to your playbook. If that's the case, then I don't yet see how anything could behave differently for the Ansible CLI versus AWX, but there are probably some details I'm missing.

@aldobongio
Copy link
Author

Hi Alan, I just managed to create a minimal example able to reproduce the problem.
On AWX (1.0.7.2):

Create a project:

Create an inventory:

  • Name=Bug 2226

Add an inventory source to the previous inventory:

  • Name=Bug2226
  • Source=Sourced from a project
  • Project=Bug2226
  • Inventory File=bug2226/inventory.yml

Start sync on the project

Create a vault credential:

  • Name=Bug2226
  • Type=Vault
  • Password=foobar

Create a new job template:

  • Name=Bug
  • Inventory=Bug2226
  • Project=Bug2226
  • Playbook=bug2226/playbooks/bug.yml
  • Credential:
    • type=Vault
    • credential=Bug2226

Run the Job Template from AWX. The console output is:

Vault password: 
PLAY [Bug 2226] ****************************************************************
TASK [debug] *******************************************************************
ok: [server1.example.com -> localhost] => {
    "msg": "password MyPassword"
}
TASK [debug] *******************************************************************
ok: [server1.example.com -> localhost] => {
    "msg": "foo.password: MyPassword"
}
TASK [debug] *******************************************************************
ok: [server1.example.com -> localhost] => {
    "msg": "bar.baz[0].password: {u'__ansible_vault': u'$ANSIBLE_VAULT;1.1;AES256\\n62626238623631313934373630383033336436343761333530613666343761343466623634376235\\n3937653030643639653962656263663139376432323732370a396639623666323161613532383834\\n66303766353763393563386533656264613864653938626432353464383339336635383364316139\\n6265356234313065300a336462626231396561343835323563333232363038326232653534643735\\n6136\\n'}"
}
PLAY RECAP *********************************************************************
server1.example.com        : ok=3    changed=0    unreachable=0    failed=0

Instead, if you run it from the command line using (note: foobar is the vault password)

git clone https://github.com/aldobongio/awx-bug-2226.git
cd bug2226
ansible-playbook -i inventory.yml -l server1.example.com playbooks/bug.yml --ask-vault-pass

you get the correct output:

PLAY [Bug 2226] *****************************************************************************************************************************************************************************************************************************

TASK [debug] ********************************************************************************************************************************************************************************************************************************
ok: [server1.example.com -> localhost] => {
    "msg": "password MyPassword"
}

TASK [debug] ********************************************************************************************************************************************************************************************************************************
ok: [server1.example.com -> localhost] => {
    "msg": "foo.password: MyPassword"
}

TASK [debug] ********************************************************************************************************************************************************************************************************************************
ok: [server1.example.com -> localhost] => {
    "msg": "bar.baz[0].password: MyPassword"
}

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
server1.example.com        : ok=3    changed=0    unreachable=0    failed=0

I hope this can help you in tracking the problem.

@AlanCoding AlanCoding mentioned this issue Sep 11, 2018
Closed
@AlanCoding
Copy link
Member

Thank you for that very detailed information. Proposed fix up at:

ansible/ansible#45514

This doesn't necessarily belong in the AWX issue queue, once I dug, I was able to replicate the issue via the command line. The usage difference between your CLI use and AWX use is that AWX goes through a YAML->JSON conversion of the variables. Indeed, when you give this data as JSON, Ansible CLI fails to decrypt it. This is why use inside of AWX hit the bug whereas the direct CLI use did not.

@AlanCoding AlanCoding mentioned this issue Sep 20, 2018
Merged
@AlanCoding
Copy link
Member

Looks like Ansible core devs have have agreed on the solution. Fix should be landing in development Ansible soon.

@AlanCoding
Copy link
Member

Fix was merged into development Ansible, and is slated for 2.8 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:api type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AlanCoding @aldobongio @awxbot