search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
14.08k stars 3.43k forks source link

Support MSI authentication for Azure Keyvault secrets management credentials. #10843

Open jghal opened 3 years ago

jghal commented 3 years ago
ISSUE TYPE
SUMMARY

We deploy AWX inside subscriptions on a VM with a Managed Service Identity, so that we don't have to configure service principal client IDs and secrets (along with the necessary rotation policies and process). We would like to use the Azure Keyvault credential plugin, as an input source for other credentials. However it appears that this can only be used with statically configured client ID and secret. Putting in dummy values for client ID and secret products an authentication error.

https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-authenticate#authenticate-with-defaultazurecredential

jghal commented 3 years ago

Additionally, since our AWX is inside the subscription, we enable the keyvault service endpoint in the subnet, and have NACLs enabled to restrict keyvault access to internal connections. So using the public routed https://<vault_name>.vault.azure.net won't work for us either.

mtrin commented 2 years ago

I second this one