Closed nodje closed 1 year ago
Right now it does not pick up the env variables, will have to look to see if I can fix that, can you tell me if you have the same error on the controller api plugin here? https://github.com/ansible/awx/blob/devel/awx_collection/plugins/lookup/controller_api.py
either awx.awx or ansible.controller, if that works, this will help me figure out how to fix it
Wait Sean, I think there are 2 issues that shouldn't be mixed up here. Or this is me being mixed up, but I think that:
controller_hostname, controller_oauthtoken, controller_validate_certs
from env var, and these are correctly picked up as the log "invocation" part shows:"invocation": {
"module_args": {
"name": "Conjur_dynamic_credential",
"kind": "cloud",
"state": "absent",
"controller_oauthtoken": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"controller_host": "https://aap2.staging.net",
"validate_certs": false,
"controller_username": "",
"controller_password": "",
"controller_config_file": null,
"new_name": null,
"description": null,
"inputs": null,
"injectors": null
}
}
So even though controller_hostname, controller_oauthtoken, controller_validate_certs
have values, object_diff fails to perform a delete action anyway.
If not, how do you suggest I use the controller_api lookup? What for specifically?
Hi, object_diff role doesn't remove anything. The error " "msg": "You don't have permission to DELETE to /api/v2/credential_types/20/ (HTTP 403)." comes from another role/module.
Object_diff role will only set the list of object to remove but it has to be removed launching the dispatch role. It seems that you are using right the tower authentication to the object_diff role but not to the dispatch role.
I'm using filetree_read then dispatch. And it works perfectly using ENV var. When I add object_diff in between, then it fails with this DELETE error
are there credentials assigned to this credential type? I think it's not allowed remove credential_types that have credentials assigned.
right, that's it, sorry about that, never deleted a cred type before. Manual deletion is also refused.
I guess there are no way to automate deleting creds of a a type identified by object_diff, then deleting the cred type in question.
I'm closing the issue.
Do you want a separate issue for the object_diff authent not reading env var?
Yes, there is a way to remove it. You have to invert the order for the dispatch role. Here you have an example:
Notice that controller_configuration_dispatcher_roles variable is overwritten because the problem that you are facing. For instance, Credentials are before credential_types while when you launch directly dispatch role without overwrite the controller_configuration_dispatcher_roles variable, is the opposite (credential_types before credentials): https://github.com/redhat-cop/controller_configuration/blob/devel/roles/dispatch/defaults/main.yml
Do you want a separate issue for the object_diff authent not reading env var?
object_diff is reading the env var properly, I don't see any error with that.
object_diff is reading the env var properly, I don't see any error with that.
well it fails if controller_hostname, controller_oauthtoken, controller_validate_certs
are not provided whereas dispatch works fine with env var TOWER_HOST, TOWER_OAUTH_TOKEN, TOWER_VERIFY_SSL variables
Yes, there is a way to remove it. You have to invert the order for the dispatch role. The issue here is that I cannot activate object_diff on Credentials, there are too many existing on the instance i work with.
For cred type, I can confidently delete the ones I'm not configuring with filetree_read.
Even if I had a way to limit object_diff on Crendentials to a specific Cred type, I guess I could not dynamically provide the Cred type from object_diff.
I'm using v2.3.1 on AAP2.3.x
Here's the error detail:
I use the same oauthtoken for dispatch and object_diff and dispatch works flawlessly. Indeed a token from User 1/default local admin has System Admin role. and should be able to perform any action.
The way I call the roles: I provide env vars TOWER_HOST. TOWER_VERIFY_SSL, TOWER_OAUTH_TOKEN for the playbook run but this isn't taken into account by object_diff.
I had to provide in the playbook the following vars for object_diff to be able to authent against an AAP instance
It works indeed as one can see in the error log, but apparently the oauthtoken doesn't give the proper authorization even though it's a SysAdmin token.
I'm out of idea at this stage, I have to disable object_diff usage