How to use existing Vault files in Ansible Tower

I want to import existing inventories that I have previously used with Ansible (standalone) including group_vars and vault files into Ansible Tower (3.2.0).

However, it doesn't seem to work once Vault files come into play. Once I've setup the Vault password file credential and create the inventory using source type "Sourced from a Project" – I can't select the Vault credential under "Source Details".

Credentials Dialog screenshot

When I manually put it in and save the source – the sync fails with the following error:

 1.735 INFO     Updating inventory 10: TEST
    1.753 DEBUG    Using system install of ansible-inventory CLI: /usr/bin/ansible-inventory
    1.753 INFO     Reading Ansible inventory source: /var/lib/awx/projects/_6__ansible_master/inventories/test/hosts
    1.754 DEBUG    Using private credential data in '/tmp/awx_123_LXUj9p'.
    1.755 DEBUG    Using fresh temporary directory '/tmp/awx_proot_ZURWmR' for isolation.
    1.755 DEBUG    Running from `/var/lib/awx/projects/_6__ansible_master/inventories/test` working directory.
Traceback (most recent call last):
  File "/usr/bin/awx-manage", line 9, in <module>
    load_entry_point('awx==3.2.0', 'console_scripts', 'awx-manage')()
  File "/lib/python2.7/site-packages/awx/__init__.py", line 107, in manage
  File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/__init__.py", line 354, in execute_from_command_line
    utility.execute()
  File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/__init__.py", line 346, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/base.py", line 394, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/base.py", line 445, in execute
    output = self.handle(*args, **options)
  File "/var/lib/awx/venv/awx/lib/python2.7/site-packages/django/core/management/base.py", line 661, in handle
    return self.handle_noargs(**options)
  File "/lib/python2.7/site-packages/awx/main/management/commands/inventory_import.py", line 1000, in handle_noargs
  File "/lib/python2.7/site-packages/awx/main/management/commands/inventory_import.py", line 243, in load_inventory_source
  File "/lib/python2.7/site-packages/awx/main/management/commands/inventory_import.py", line 179, in load
  File "/lib/python2.7/site-packages/awx/main/management/commands/inventory_import.py", line 163, in command_to_json
RuntimeError: ansible-inventory failed (rc=4) with stdout:

stderr:
ERROR! Attempting to decrypt but no vault secrets found

I have also tried create an ansible_vault file and pointing the variable "vault_password_file" to it – but this won't work either (complaining it can't find the vault password file).

Has anyone encountered this before?

Best Answer

So it looks like this was more of an implementation issue. According to RedHat, it is not recommended to keep the vault files with the inventory - as this would mean it decrypts the file every time the inventory sync runs.

The way I've solved this now is by using "vars_files" in the playbook. It looks like this:

  # Secrets
  vars_files:
    - '../../secrets/{{ tower_env }}/vault.yml'

In Tower, I pass in the tower_env variable e.g. "dev" or "qa", which then decrypts the corresponding vault file when a playbook runs - rather then when syncing inventories.

Best Answer

Related Solutions

Can i use the roles from Ansible in Ansible Tower

Issue with Ansible wait_for module – how to reliably check if the VM is up and running

Related Topic