Closed no-12 closed 7 months ago
Hi I'm not sure what the benefits of this would be as the LAPS password changes quite frequently and it's not really designed to be stored offline. I'm not 100% familiar with AWX, are you saying that having it run the dynamic inventory allows it to read the generated inventory?
You can use ansible-inventory
to retrieve the the password details which you then can encrypt if you wish but this is something you have to do everytime the LAPS password is changed. For example I have this inventory configuration at microsoft.ad.ldap.yml
plugin: microsoft.ad.ldap
search_base: OU=Servers,DC=domain,DC=test
attributes:
msLAPS-EncryptedPassword:
ansible_user: (this.value | from_json).n
ansible_password: (this.value | from_json).p
I can run the following to retrieve the username and password configured by LAPS:
$ ansible-inventory -i microsoft.ad.ldap.yml --host SERVER2022 --vars
{
"ansible_host": "SERVER2022.domain.test",
"ansible_password": "...",
"ansible_user": "Administrator",
"microsoft_ad_distinguished_name": "CN=SERVER2022,OU=Servers,DC=domain,DC=test"
}
AWX runs any ansible inventory plugin and converts the resulting JSON to persistent objects in its DB.
So the idea was to run the inventory sync on a fixed schedule. Or an even more dynamic approach would be to use the Windows event of the LAPS password change to trigger an AWX callback to update the inventory and hence the LAPS password in AWX.
The rotation of the LAPS password is a little bit of a problem but it is manageable.
The problem I want to address with this issue is, that I want to allow the users to read the inventory and the corresponding host vars in AWX, but they should NOT be able to view the LAPS password in clear text.
I unfortunately think this might be a question more for AWX or a custom solution to check in your own encrypted values. You can whip up a script with ansible-inventory
and jq
to extract the values which is then piped to ansible-vault
if you wanted to go your own way but if you are wanting something special with AWX that might be a question for them sorry.
Yeah, I think you are right. Thank you for your feedback.
SUMMARY
It would be nice to have an option to encrypt the LAPS credentials fetched by the ldap inventory plugin with ansible-vault. This would make storing the LAPS credentials in AWX a little bit more secure and won't allow users with read permissions on the inventory to view the credentials. This would also be useful if you run this plugin without AWX to generate a "static" inventory file.
ISSUE TYPE
COMPONENT NAME
microsoft.ad.ldap inventory