Unable to run cyberark.conjur.conjur_host_identity role.

Summary

Unable to run cyberark.conjur.conjur_host_identity role.

Steps to Reproduce

Create a conjur host-factory.

Generate host factory token:

conjur -i hostfactory create token -i ansible-test-factory --duration-days 2

Export host factory token as env var.
Run the playbook.

This is the playbook that I am using:

- hosts: localhost
  roles:
    - role: cyberark.conjur.conjur_host_identity
      conjur_appliance_url: 'https://conjur-lb.vsphere.playground.com'
      conjur_account: 'default'
      conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}"
      conjur_host_name: "{{ inventory_hostname }}"
      conjur_ssl_certificate: "{{ lookup('file', 'conjur-cert.cer') }}"
      conjur_validate_certs: yes

Expected Results

The playbook run without errors.

Actual Results

The playbook fail, these are the logs:

PLAY [localhost] ***********************************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************************************
ok: [localhost]

TASK [cyberark.conjur.conjur_host_identity : Check if /etc/conjur.identity already exists] *********************************************************************************************************
ok: [localhost] => {"changed": false, "stat": {"exists": false}}

TASK [cyberark.conjur.conjur_host_identity : Set fact "conjurized"] ********************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"conjurized": false}, "changed": false}

TASK [cyberark.conjur.conjur_host_identity : Ensure all required variables are set] ****************************************************************************************************************
skipping: [localhost] => (item=default)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "default", "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=https://conjur-lb.vsphere.playground.com)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "https://conjur-lb.vsphere.playground.com", "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=localhost)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "localhost", "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}

TASK [cyberark.conjur.conjur_host_identity : Set fact "ssl_configuration"] *************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"ssl_configuration": true}, "changed": false}

TASK [cyberark.conjur.conjur_host_identity : Ensure all required ssl variables are set] ************************************************************************************************************
skipping: [localhost] => (item=-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUeO2/+zmaBjmfJRxB1bwzM93lnmAwDQYJKoZIhvcNAQEL
BQAwUTEQMA4GA1UECgwHZGVmYXVsdDESMBAGA1UECwwJQ29uanVyIENBMSkwJwYD
VQQDDCBjb25qdXItbGIudnNwaGVyZS5wbGF5Z3JvdW5kLmNvbTAeFw0yMzAxMTAx
MTI3MzRaFw0zMzAxMDcxMTI3MzRaMCsxKTAnBgNVBAMMIGNvbmp1ci1sYi52c3Bo
ZXJlLnBsYXlncm91bmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvP11Ad8F8rVQXGrvhqv4yBhCLW+E85KnNV9TjNiV0fojrQMNHTIWwY5TL8vL
kTohi6NTHPZCBu6ig1sAwlvwF72oHrjDITN7YUxUcgCAuQzEG4lK2cPNWkmsMlaZ
e9ECJguvIh1QF+TW+72CIESR9IQeQKuPwZis7VBqbInQboiYHb849xVWIpzdQH2D
4IGhknuZQCUUOYbtpp1aJOJnQvEwFZ2hwzlK2i63JA18SafPHxt91r4TC9Jih3wN
CriL/TtFaz9/n0CQM1HETpt3B00aRom6QI6dnqixACJ2fuNqyiqnn53c7HiLWCvQ
/vJ46CTGxOKeae+sBeDjGrjTkQIDAQABo4HFMIHCMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwgZAGA1UdEQSBiDCBhYIgY29u
anVyLWxiLnZzcGhlcmUucGxheWdyb3VuZC5jb22CH2Nvbmp1ci0xLnZzcGhlcmUu
cGxheWdyb3VuZC5jb22CH2Nvbmp1ci0yLnZzcGhlcmUucGxheWdyb3VuZC5jb22C
H2Nvbmp1ci0zLnZzcGhlcmUucGxheWdyb3VuZC5jb20wDQYJKoZIhvcNAQELBQAD
ggEBADjwsbz7BG641cWjokup7b4MT6Q1ts8cbKg3rFRH8IP2p3KA0amzDvnGXehF
RJ83rj9wXdPBpxfzRCvkqw8u4et1fXZ7XyirrqBZh0eQWu5ix/Sd9NdOE8DLw+Xz
wAsaGp7NgpBK3gs3k5iX38yk0Gstk3Y7fjzqUmRSeJ9EOs3Wpe+hxfkurS9HDAMy
M0iVnZDvEsRLeGYELa685Ga6/lSBXshMbmLDISF0M3LqgNYDCJZPJLYY5pf6XDfv
Wt4QUEbBrpX11OMBRyRYZW3Nf7LIaNGxzitTbNdCpJqjwyJV2J9eX3VFtrVaPczs
TmwipMTS+WBhDto0a6pZ74J5shU=
-----END CERTIFICATE-----)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "-----BEGIN CERTIFICATE-----\nMIID0DCCArigAwIBAgIUeO2/+zmaBjmfJRxB1bwzM93lnmAwDQYJKoZIhvcNAQEL\nBQAwUTEQMA4GA1UECgwHZGVmYXVsdDESMBAGA1UECwwJQ29uanVyIENBMSkwJwYD\nVQQDDCBjb25qdXItbGIudnNwaGVyZS5wbGF5Z3JvdW5kLmNvbTAeFw0yMzAxMTAx\nMTI3MzRaFw0zMzAxMDcxMTI3MzRaMCsxKTAnBgNVBAMMIGNvbmp1ci1sYi52c3Bo\nZXJlLnBsYXlncm91bmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAvP11Ad8F8rVQXGrvhqv4yBhCLW+E85KnNV9TjNiV0fojrQMNHTIWwY5TL8vL\nkTohi6NTHPZCBu6ig1sAwlvwF72oHrjDITN7YUxUcgCAuQzEG4lK2cPNWkmsMlaZ\ne9ECJguvIh1QF+TW+72CIESR9IQeQKuPwZis7VBqbInQboiYHb849xVWIpzdQH2D\n4IGhknuZQCUUOYbtpp1aJOJnQvEwFZ2hwzlK2i63JA18SafPHxt91r4TC9Jih3wN\nCriL/TtFaz9/n0CQM1HETpt3B00aRom6QI6dnqixACJ2fuNqyiqnn53c7HiLWCvQ\n/vJ46CTGxOKeae+sBeDjGrjTkQIDAQABo4HFMIHCMA4GA1UdDwEB/wQEAwIFoDAd\nBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwgZAGA1UdEQSBiDCBhYIgY29u\nanVyLWxiLnZzcGhlcmUucGxheWdyb3VuZC5jb22CH2Nvbmp1ci0xLnZzcGhlcmUu\ncGxheWdyb3VuZC5jb22CH2Nvbmp1ci0yLnZzcGhlcmUucGxheWdyb3VuZC5jb22C\nH2Nvbmp1ci0zLnZzcGhlcmUucGxheWdyb3VuZC5jb20wDQYJKoZIhvcNAQELBQAD\nggEBADjwsbz7BG641cWjokup7b4MT6Q1ts8cbKg3rFRH8IP2p3KA0amzDvnGXehF\nRJ83rj9wXdPBpxfzRCvkqw8u4et1fXZ7XyirrqBZh0eQWu5ix/Sd9NdOE8DLw+Xz\nwAsaGp7NgpBK3gs3k5iX38yk0Gstk3Y7fjzqUmRSeJ9EOs3Wpe+hxfkurS9HDAMy\nM0iVnZDvEsRLeGYELa685Ga6/lSBXshMbmLDISF0M3LqgNYDCJZPJLYY5pf6XDfv\nWt4QUEbBrpX11OMBRyRYZW3Nf7LIaNGxzitTbNdCpJqjwyJV2J9eX3VFtrVaPczs\nTmwipMTS+WBhDto0a6pZ74J5shU=\n-----END CERTIFICATE-----", "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=True)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": true, "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}

TASK [cyberark.conjur.conjur_host_identity : Set fact "ssl file path"] *****************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"conjur_ssl_certificate_path": "/etc/conjur.pem"}, "changed": false}

TASK [cyberark.conjur.conjur_host_identity : Set fact "non ssl configuration"] *********************************************************************************************************************
skipping: [localhost] => {"changed": false, "false_condition": "not ssl_configuration", "skip_reason": "Conditional result was False"}

TASK [cyberark.conjur.conjur_host_identity : Warn against using insecure connection schemes] *******************************************************************************************************
skipping: [localhost] => {"false_condition": "not ssl_configuration"}

TASK [cyberark.conjur.conjur_host_identity : Ensure "conjur_host_factory_token" is set (if node is not already conjurized)] ************************************************************************
skipping: [localhost] => (item=<TOKEN-HERE>)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "<TOKEN-HERE>", "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}

TASK [cyberark.conjur.conjur_host_identity : Create group conjur] **********************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Username and password must be provided.\n", "name": "conjur"}

PLAY RECAP *****************************************************************************************************************************************************************************************
localhost                  : ok=5    changed=0    unreachable=0    failed=1    skipped=5    rescued=0    ignored=0

Reproducible

[X] Always

Version/Tag number

ansible --version && echo " " && ansible-galaxy collection list | grep cyberark                                                                                                 

ansible [core 2.15.0]
  config file = None
  configured module search path = ['/Users/rago/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/8.0.0/libexec/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/rago/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.4 (main, Jun  7 2023, 00:42:15) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/usr/local/Cellar/ansible/8.0.0/libexec/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

cyberark.conjur               1.2.0  
cyberark.conjur               1.2.0  
cyberark.pas                  1.0.19

Environment setup

Ansible run on local machine and conjur run on remote VM (connection via VPN).

Additional Information

conjur is reachable from my local machine and I am able to retrieve secrets.
If I remove the conjur_ssl_certificate and conjur_validate_certs role variables (which are not mandatory!), the playbook fails with the following error:
```
fatal: [localhost]: FAILED! => {"msg": "'conjur_ssl_certificate' is undefined. 'conjur_ssl_certificate' is undefined"}
```

cyberark / ansible-conjur-collection

Unable to run cyberark.conjur.conjur_host_identity role. #191