search

ansible-collections / community.windows

Windows community collection for Ansible
https://galaxy.ansible.com/community/windows
GNU General Public License v3.0
199 stars 153 forks source link

win_credential creates credentials for the become user #572

Closed opacc-sel closed 1 month ago

opacc-sel commented 1 month ago
SUMMARY

The credentials which are created with the win_credential task are in the credential store from the become user (admin) and not with the loged in user (winrm).

ISSUE TYPE
COMPONENT NAME

win_credential

ANSIBLE VERSION
ansible [core 2.16.8]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/***/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/***/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.3 (main, Apr 10 2024, 05:33:47) [GCC 13.2.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection        Version
----------------- -------
community.windows 2.2.0
CONFIGURATION
CONFIG_FILE() = /etc/ansible/ansible.cfg
OS / ENVIRONMENT

Targeting Windows 10

STEPS TO REPRODUCE

Run the following tasks:

---
- name: Install Development Environment
  hosts: windows_clients
  vars:
    # ansible_become: true
    ansible_become_method: runas
    ansible_become_user: admin_user
    ansible_become_pass: <password>
  tasks:
    - name: install-credentials
      include_role:
        name: install-credentials

install-credentials:
---
- name: 'add credentials for {{ buildServer_name }}'
  community.windows.win_credential:
    name: '{{ buildServer_name }}'
    type: domain_password
    username: '{{ lab_username }}'
    secret: '{{ lab_password }}'
    persistence: enterprise
    state: present
  become: true
- name: 'add credentials for {{ devServer_name }}'
  community.windows.win_credential:
    name: '{{ devServer_name }}'
    type: domain_password
    username: '{{ lab_username }}'
    secret: '{{ lab_password }}'
    persistence: enterprise
    state: present
  become: true
- name: 'add credentials for {{ gitServer_name }}'
  community.windows.win_credential:
    name: '{{ gitServer_name }}'
    type: generic_password
    username: '{{ username }}'
    secret: '{{ git_password }}'
    persistence: enterprise
    state: present
  become: true
EXPECTED RESULTS

The credentials should be in the connected users's (winrm) credentials store

ACTUAL RESULTS

The credentials are in the store from the become user (admin)

TASK [install-credentials] *************************************************************************************task path: /***/Ansible/install-dev-tmp.yml:10
Thursday 18 July 2024  10:02:30 +0200 (0:00:11.541)       0:00:11.708 *********

TASK [install-dev-env-credentials : add credentials for *** ***********************************task path: /***/Ansible/roles/install-credentials/tasks/main.yml:2Thursday 18 July 2024  10:02:30 +0200 (0:00:00.129)       0:00:11.838 *********
Using module file /usr/lib/python3/dist-packages/ansible_collections/community/windows/plugins/modules/win_credential.ps1
Pipelining is enabled.
<***> ESTABLISH WINRM CONNECTION FOR USER: *** on PORT 5986 TO ***
EXEC (via pipeline wrapper)
changed: [***] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "alias": null,
            "attributes": null,
            "comment": null,
            "name": "***l",
            "persistence": "enterprise",
            "secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "secret_format": "text",
            "state": "present",
            "type": "domain_password",
            "update_secret": "always",
            "username": "***"
        }
    }
}

TASK [install-credentials : add credentials for *** ***********************************task path: /***/Ansible/roles/install-credentials/tasks/main.yml:11
Thursday 18 July 2024  10:02:38 +0200 (0:00:08.549)       0:00:20.387 *********
Using module file /usr/lib/python3/dist-packages/ansible_collections/community/windows/plugins/modules/win_credential.ps1
Pipelining is enabled.
<***> ESTABLISH WINRM CONNECTION FOR USER: *** on PORT 5986 TO ***
EXEC (via pipeline wrapper)
changed: [***] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "alias": null,
            "attributes": null,
            "comment": null,
            "name": "***",
            "persistence": "enterprise",
            "secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "secret_format": "text",
            "state": "present",
            "type": "domain_password",
            "update_secret": "always",
            "username": "***"
        }
    }
}

TASK [install-credentials : add credentials for *** ********************************
task path: /***/Ansible/roles/install-credentials/tasks/main.yml:20
Thursday 18 July 2024  10:02:44 +0200 (0:00:05.876)       0:00:26.263 *********
Using module file /usr/lib/python3/dist-packages/ansible_collections/community/windows/plugins/modules/win_credential.ps1
Pipelining is enabled.
<***> ESTABLISH WINRM CONNECTION FOR USER: *** on PORT 5986 TO ***
EXEC (via pipeline wrapper)
changed: [***J] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "alias": null,
            "attributes": null,
            "comment": null,
            "name": "***",
            "persistence": "enterprise",
            "secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "secret_format": "text",
            "state": "present",
            "type": "generic_password",
            "update_secret": "always",
            "username": "***"
        }
    }
}
jborean93 commented 1 month ago

That’s unfortunately not how become works. The task is run as the become user which means the action applies to it. If you wish to store it under the connection user then you should target that as your become credentials.

opacc-sel commented 1 month ago

Hi, thank you for the fast reply. Well, I just assumed the store can be defined for the credential creation and the module handles that. Neverless, we gave the user admin rights and your solution worked as proposed, thank you very much. For my point of view the hint in the module documentation should be clarified because I understood it wrong: "This module requires to be run with become so it can access the user’s credential store." It should be specified which users is meant. The become user in this case and not the ansible user.