Allow Vault Credentials for Project SCM Type Inventories to process inventory plugin parameters

[azrdev]

Please confirm the following

• [X] I agree to follow this project's code of conduct.
• [X] I have checked the current issues for duplicates.
• [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

"Inventory Source" objects can have a number of Credential types attached, but not "vault" ones. For custom inventory plugins which need secrets one does not want to record as plaintext into the plugin-config.yml (in git), this requires 1. support from the inventory plugin and 2. a Custom Credential Type -- This could be much easier if we could add the secrets to the plugin config as vaulted variables -- and have the "Vault Credential" attached to the inventory source to decode those upon inventory sync.

Select the relevant components

• [X] UI
• [ ] API
• [ ] Docs
• [ ] Collection
• [ ] CLI
• [X] Other

Steps to reproduce

The hoops an inventory currently has to jump through can be seen in this PR: https://github.com/stdevel/ansible-collection-uyuni/pull/41/ (diff and comment https://github.com/stdevel/ansible-collection-uyuni/pull/41/#issuecomment-1983166880 )

Current results

Cannot select vault Credentials on inventory source.

Sugested feature result

Can select vault Credentials on inventory source.

Additional information

• 4089 discusses vault decrypting of variables files inside the sourced inventory, e.g. host_vars / group_vars (see esp. https://github.com/ansible/awx/issues/4089#issuecomment-1233231686)

• https://github.com/ansible/awx/issues/223#issuecomment-416946662 describes a workaround of putting vault-encrypted vars (content only, not name) in host_vars via the GUI

[gendergap]

Maybe this is the same as #14680.

[PulsatingQuasar]

Hi, we have run into this issue to.

I see a lot of people asking for this so why is this not implemented yet? Since this works in basic Ansible, why not in AWX? The vault credential should be allowed on an Inventory source.

[BartOpitz]

+1 from me - we need login/password in inventory plugin configuration and encrypt password with ansible vault. Normally, ansible-inventory can prompt for that vault secret, but there is no option in AWX to assign a vault credential with inventory sync job. This is weird, as ansible-inventory seems to use exact same mechanism (and even command line parameters / environment variables) for vault handling as ansible-playbook does. In my opinion enabling the possibility to use vaults with ansible-inventory should not be a big deal.

And to clarify - I do not mean here that ansible-inventory decrypts inventory group_vars or host_vars - it is very OK that they are imported as encrypted and are decrypted when the actual job template runs and uses them. I just need to be able to decrypt inventory plugin configuration.

Currently use a workaround described somewhere that uses environment variables and custom credentials, but this requires me to create 2 secrets for a vault that is used both in inventory and in playbooks... This is a bit cumbersome.

[ktoulliou]

+1 from me too When I use the dynamic inventory microsoft.ad.ldap.yml (see here: https://docs.ansible.com/ansible/latest/collections/microsoft/ad/ldap_inventory.html), it is impossible for me to enter any ansible-vault key from the AWX UI. In my microsoft.ad.ldap.yml, I'm looking to encrypt the AD service account name and password that I'm using to search all host Active Directory (in specific OU).

• On UI AWX, absolutely no Credentials appear in 'Inventory > Source > Git source'

• On CLI, the encrypted variables in the dynamic inventory work perfectly. For example for my case : ansible-inventory -i microsoft.ad.ldap.yml --graph --vault-password-file ~/ANSIBLE_KEY or ansible-inventory -i inventory/ --graph -J (prompted vault pass)

Why does it work in CLI (ansible-inventory or ansible-playbook) but it is not possible from the AWX UI?

[BartOpitz]

For this type of issues I have found even better solution - create Custom Credential Type for all credential-related parameters with environment based injector. This will inject environment variables like MICROSOFT_AD_LDAP_CERTIFICATE_KEY and by that parametrize the inventory plugin. Also good practice for all who write inventory plugins is to fall back to environment variables on all credential related vars. That way you can create Custom Credential, and this CAN be attached to inventory sync job. That even saves you from hardcoding vault encrypted credentials in code at all - everything stays in AWX.

There are however still use cases, where such Vault type credential is needed for inventory sync job.