search

bitwarden / sm-ansible

Ansible integration for Secrets Manager
GNU General Public License v3.0
7 stars 3 forks source link

lookup secret for 'ansible_become_password' throws exception #55

Open rome-legacy opened 2 months ago

rome-legacy commented 2 months ago

Hey, i'm experimenting with ansible integration of secrets manager and i'm facing an issue:

i have a simple playbook:

- name: 'do stuff on a linux machine'
  hosts: my_hosts_group

  vars:
    sudo_pwd: "{{ lookup('bitwarden.secrets.lookup', 'my-secret-uuid') }}"
#    ansible_become_password: "my-password-with-special-chars"
    ansible_become_password: "{{ lookup('bitwarden.secrets.lookup', 'my-secret-uuid') }}"
  tasks:
    - name: 'DEBUG'
      ansible.builtin.debug:
        var: sudo_pwd

the playbook crashes with this error:

PLAY [Install common linux tools and configs] *****************************************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************************************************
[WARNING]: Platform linux on host my_host is using the discovered Python interpreter at /usr/bin/python3.11, but future installation of another Python interpreter
could change the meaning of that path. See https://docs.ansible.com/ansible-core/2.17/reference_appendices/interpreter_discovery.html for more information.
ok: [my_host]

TASK [DEBUG] **************************************************************************************************************************************************************
thread '<unnamed>' panicked at /root/.cargo/registry/src/index.crates.io-6f17d22bba15001f/pyo3-log-0.9.0/src/lib.rs:570:16:
called `Result::unwrap()` on an `Err` value: SetLoggerError(())
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
ERROR! A worker was found in a dead state

gathering facts task, where the secret is looked up, is successful

when i do not any lookups, but instead set the password in plaintext (the commented line), the playbook works as expected and the looked up password is printed and is correct. this problem happens even if i don't have any become-tasks in my playbook.

DEBUG output

task path: /home/user/ansible/linux-setup.ansible.yml:20
Parsing secret ID
Validating field argument
Parsing Bitwarden environment URL
secret_id: my-secret-uuid
field: value
base_url: https://vault.bitwarden.com
api_url: https://vault.bitwarden.com/api
identity_url: https://vault.bitwarden.com/identity
state_file_dir: None
Authenticating with Bitwarden
Parsing secret ID
Validating field argument
Parsing Bitwarden environment URL
thread '<unnamed>' panicked at /root/.cargo/registry/src/index.crates.io-6f17d22bba15001f/pyo3-log-0.9.0/src/lib.rs:570:16:
called `Result::unwrap()` on an `Err` value: SetLoggerError(())
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
secret_id: my-secret-uuid
field: value
base_url: https://vault.bitwarden.com
api_url: https://vault.bitwarden.com/api
identity_url: https://vault.bitwarden.com/identity
state_file_dir: None
Authenticating with Bitwarden
ERROR! A worker was found in a dead state

Expected behavior: playbook is successfully executed. when playbook has become-tasks, login is successful

My system:

kind regards rome

rome-legacy commented 2 months ago

after giving it a second thought, this issue is probably related to the bitwarden/sdk. should i close and re-open in the sdk project?