Open infamousjoeg opened 2 years ago
Any progress here? I would love to see this happen.
Any updates on the possibility of this being included? Still a huge issue when it comes to trying to use unique keys to conduct massive operations like OS Patching, etc.
I also want to get update on this feature!!!
Any news about this?
I am really looking forward to see that feature being implemented too
ISSUE TYPE
SUMMARY
Problem At CyberArk, we recommend that all customers create unique root passwords and/or unique private keys for host authentication to *nix hosts. Since the CyberArk platform manages this credential and can also broker secure sessions to the host, this is the easiest way to reduce the attack surface.
In Ansible community, we have many customers who use a single playbook across many remote hosts to complete such actions as OS Patching, NTP server updates, and more. Since the playbook can leverage the
inventory_hostname
variable, we can create host vars in the playbook to pull back the unique root password using Jinja variables to inject theinventory_hostname
into the secret variable ID to dynamically retrieve the proper host's password just-in-time for playbook execution.In AWX and Ansible Automation Platform, only one Machine or AWS Access Key credential can be assigned to a Job Template. In order to recreate Ansible community's one playbook to many method would require a 1:1 Job Template for each host. This is not feasible for medium-to-large enterprises.
Requested Solution Please update the External Secrets Management Systems included out of the box with AWX and Ansible Automation Platform to be able to accept variables, such as
inventory_hostname
. This would allow us to assign one Machine credential containing that variable to a single Job Template that can iterate across many hosts and dynamically fetch secrets just-in-time based on the host being authenticated to.