As with just about all things Ansible, Red Hat Ansible Automation Platform (AAP)’s installation pretty much starts with prepping an inventory file. Super helpfully, the AAP installation is itself based on Ansible (which makes both hurdling any troubles encountered during install, as well as performing future upgrades, more seamless). This inventory file contains the essential parameters and variables referenced by AAP’s setup.sh file to automate a successful install. It is a plain text file which is somewhat unimaginatively named “inventory”, and it is included in the AAP tarball you download from Red Hat.


$ BUNDLE="ansible-automation-platform-setup-bundle-2.4-2.1-x86_64.tar.gz"
$ tar ftv $BUNDLE | grep "/inventory$"
-rw-r--r-- root/root      8896 2023-10-06 15:08 ansible-automation-platform-setup-bundle-2.4-2.1-x86_64/inventory
$

The inventory file contains an opinionated set of default contents that is sensible for the given version of AAP that you happen to be installing or upgrading to.

All of this is extremely helpful, but it does leave something to be desired. That’s because even your passwords (and there at least a couple that matter at a minimum, even in a “Standalone automation controller with internal database” installation scenario) will be stored in plain text in the inventory file… unless you take alternative steps.

An inventory file snip with default contents shown:


$ grep -B 2 '^admin_password' -A 8 inventory

[all:vars]
admin_password=''

pg_host=''
pg_port=5432

pg_database='awx'
pg_username='awx'
pg_password=''
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL
$

While handling plain text passwords in files isn’t totally unheard of in Level Up’s experience over the years in different client environments in the real world, there are definitely better ways to keep your AAP installation more secure and your passwords truly secret, post-AAP install/upgrade. Below are three that Level Up considers “good enough” security practices for most production install scenarios.

Method #1: Red Hat’s Documented Approach: “Securing secrets in the inventory file

https://access.redhat.com/documentation/en-us/red_hat_ansible_automation_platform/2.4/html/red_hat_ansible_automation_platform_planning_guide/about_the_installer_inventory_file#proc-securing_secrets_in_inventory_planning

In the above link, Red Hat does a great job of showing how you can create and encrypt a variables file named credentials.yml using ansible-vault encrypt credentials.yml, and then include that file via extra vars when you run setup.sh, as in:


ANSIBLE_BECOME_METHOD='sudo' \ 
ANSIBLE_BECOME=True \
ANSIBLE_HOST_KEY_CHECKING=False \
./setup.sh -e @credentials.yml -- --ask-vault-pass

The “Securing secrets in the inventory file” link above also mentions how you can use ansible-vault encrypt_string to simply encrypt the password inline in the inventory file instead (more info on encrypt_string is here: https://docs.ansible.com/ansible/latest/vault_guide/vault_encrypting_content.html).

See also:

The only real downside to Method #1? Using ansible-vault does require that you’ve already installed the Ansible CLI, either on the AAP controller or somewhere else (like your laptop), which may not be your situation if you’re doing a fresh install of AAP for the very first time.

Method #2: Ansible Builtin File Lookup Approach

For a simpler but admittedly “less secure” approach, you can instead use ansible.builtin.lookup to grab your password and go. The heart of it is that you are replacing a plain text password in the inventory file with something like this:

admin_password="{{ lookup('ansible.builtin.file', '/tmp/secret.txt') }}"

As a quick demo for a fresh AAP install, you can echo a password into a file called “/tmp/secret.txt” like so:


$ echo Sesame > /tmp/secret.txt

And then set the lookup in the inventory file as per below (please note that due to how setup.sh works and the shell environment it is using, an absolute path name like “/tmp/secret.txt” is basically going to be required):

An inventory file snip with lookup example shown:


$ grep -B 2 '^admin_password' -A 8 inventory

[all:vars]
admin_password="{{ lookup('ansible.builtin.file', '/tmp/secret.txt') }}"

pg_host=''
pg_port=5432

pg_database='awx'
pg_username='awx'
pg_password="{{ lookup('ansible.builtin.file', '/tmp/secret.txt') }}"
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL
$

Once the AAP install finishes successfully, you should delete the plain text file immediately:


$ rm /tmp/secret.txt

The key idea of Method #2 is that you are temporarily storing another plain text file called “secret.txt” completely outside the main inventory file and even its directory. This “secret.txt” file should live on the file system only long enough for the install to finish, and then it can be safely deleted (probably worth calling out: AAP looks at the inventory file only during an install, and never references it again between upgrades– inventory is NOT a service configuration file or anything like that). The biggest upside is likely that your inventory file, which may have other custom configurations, can remain safely on the file system for later review and transcription for future upgrades, etc.

Method #3: Ansible Extra Variable Approach

Another “good enough” method worth mentioning is to define and use an extra variable along these lines:

Step 1:

Type this to define a password variable without your bash history recording the value: read -s MYPASSWORD

This will prompt you to enter a string, but will not echo your keystrokes. (You can even echo $MYPASSWORD to ensure you typed it correctly, while keeping the password otherwise obscured.)

Step 2:

Update the inventory file by placing an Ansible extra variable which you will actually instantiate when you run the AAP setup.sh script in the next step.

$ grep -B 2 '^admin_password' -A 8 inventory

[all:vars]
admin_password="{{ mypassword }}"

pg_host=''
pg_port=5432

pg_database='awx'
pg_username='awx'
pg_password="{{ mypassword }}"
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL
$

Step 3:

Run sudo ./setup.sh -e mypassword=$MYPASSWORD

And then finally, you can unset MYPASSWORD to remove the secret variable from memory.

Wrap Up

As you can see, there are tradeoffs between each of the above methods, but all will do a pretty good job of obscuring passwords in your AAP setup inventory file, if that is the goal.

Happy (Securely) Automating!

See also:

Get the latest from Level Up delivered to your inbox– DevOps Automation and Cloud news, tips & tricks.

Select list(s) to subscribe to


By submitting this form, you are consenting to receive marketing emails from: Level Up, 20929 Ventura Blvd Ste 47 #265, Woodland Hills, CA, 91364. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Spread the word. Share this post!