search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
13.77k stars 3.38k forks source link

Add ability to use variables in Metadata for External Secret Management Systems #11121

Open infamousjoeg opened 2 years ago

infamousjoeg commented 2 years ago
ISSUE TYPE
SUMMARY

Problem At CyberArk, we recommend that all customers create unique root passwords and/or unique private keys for host authentication to *nix hosts. Since the CyberArk platform manages this credential and can also broker secure sessions to the host, this is the easiest way to reduce the attack surface.

In Ansible community, we have many customers who use a single playbook across many remote hosts to complete such actions as OS Patching, NTP server updates, and more. Since the playbook can leverage the inventory_hostname variable, we can create host vars in the playbook to pull back the unique root password using Jinja variables to inject the inventory_hostname into the secret variable ID to dynamically retrieve the proper host's password just-in-time for playbook execution.

In AWX and Ansible Automation Platform, only one Machine or AWS Access Key credential can be assigned to a Job Template. In order to recreate Ansible community's one playbook to many method would require a 1:1 Job Template for each host. This is not feasible for medium-to-large enterprises.

Requested Solution Please update the External Secrets Management Systems included out of the box with AWX and Ansible Automation Platform to be able to accept variables, such as inventory_hostname. This would allow us to assign one Machine credential containing that variable to a single Job Template that can iterate across many hosts and dynamically fetch secrets just-in-time based on the host being authenticated to.

shanemcd commented 2 years ago

Related: https://github.com/ansible/awx/issues/286

Benvandamme commented 2 years ago

Any progress here? I would love to see this happen.

infamousjoeg commented 2 years ago

Any updates on the possibility of this being included? Still a huge issue when it comes to trying to use unique keys to conduct massive operations like OS Patching, etc.

huydd79 commented 2 years ago

I also want to get update on this feature!!!

BenjaminSchweizer commented 2 years ago

Any news about this?

fs-orechan commented 10 months ago

I am really looking forward to see that feature being implemented too