As a Tower administrator with superuser access, you can define a custom credential type in a standard format using a YAML/JSON-like definition, allowing the assignment of new credential types to jobs and inventory updates. This allows you to define a custom credential type that works in ways similar to existing credential types. For example, you could create a custom credential type that injects an API token for a third-party web service into an environment variable, which your playbook or custom inventory script could consume.
Custom credentials support the following ways of injecting their authentication information:
Environment variables
Ansible extra variables
File-based templating (i.e., generating .ini
or .conf
files that contain credential values)
You can attach one SSH and multiple cloud credentials to a Job Template. Each cloud credential must be of a different type. In other words, only one AWS credential, one GCE credential, etc., are allowed. In Ansible Tower 3.2 and later, vault credentials and machine credentials are separate entities.
When creating a new credential type, you are responsible for avoiding collisions in the extra_vars, env, and file namespaces. Also, avoid environment variable or extra variable names that start with ANSIBLE_ because they are reserved. You must have Superuser permissions to be able to create and edit a credential type (CredentialType) and to be able to view the CredentialType.injection field.
In 3.8, Tower introduced a new “managed by Tower” credential type of kind=galaxy
, which represents a content source for fetching collections defined in requirements.yml
when project updates are run (e.g., galaxy.ansible.com, cloud.redhat.com, on-premise Automation Hub). This new type will represent a URL and (optional) authentication details necessary to construct the environment variables when a project update runs ansible-galaxy collection install
as described in the Ansible documentation, Configuring the ansible-galaxy client. It has fields which map directly to the configuration options exposed to the Ansible Galaxy CLI, e.g., per-server. An endpoint in the Tower API reflects an ordered list of these credentials at the Organization level:
/api/v2/organizations/N/galaxy_credentials/
Installations of Ansible Tower 3.8 migrates existing Galaxy-oriented setting values in such a way that post-upgrade, proper credentials are created and attached to every Organization in the Tower install. After upgrading to 3.8, every organization that existed prior to upgrade now has a list of (one or more) “Galaxy” credentials associated with it.
Additionally, post-upgrade, these settings are not be visible (or editable) from the /api/v2/settings/jobs/
endpoint.
Tower should still continue to fetch roles directly from public Galaxy even if galaxy.ansible.com is not the first credential in the list for the Organization. The global “Galaxy” settings are no longer configured at the jobs level, but at the Organization level in the Tower User Interface. The Organization’s Add and Edit windows have an optional Credential lookup field for credentials of kind=galaxy
.
It is very important to specify the order of these credentials as order sets precedence for the sync and lookup of the content. For more information, see Creating a New Organization. For detail on how to set up a project using collections, see Using Collections in Tower.
Support for version 2 of the API (api/v2/
) means a one-to-many relationship for Job Templates to credentials (including multi-cloud support). Credentials can be filtered using the v2 API:
$ curl "https://tower.example.org/api/v2/credentials/?credential_type__namespace=aws"
In the V2 CredentialType model, the relationships are defined as follows:
Machine | SSH |
Vault | Vault |
Network | Sets environment variables (e.g., |
SCM | Source Control |
Cloud | EC2, AWS |
Lots of others | |
Insights | Insights |
Galaxy | galaxy.ansible.com, cloud.redhat.com |
on-premise Automation Hub |
Access the Credentials from clicking the Credential Types () icon from the left navigation bar. If no custom credential types have been created, the Credential Types view will not have any to display and will prompt you to add one:
If credential types have been created, this page displays a list of all existing and available Credential Types.
To view more information about a credential type, click on its name or the Edit () button from the Actions column.
Each credential type displays its own unique configurations in the Input Configuration field and the Injector Configuration field, if applicable. Both YAML and JSON formats are supported in the configuration fields.
To create a new credential type:
Click the button located in the upper right corner of the Credential Types screen.
Enter the appropriate details in the Name and Description field.
Note
When creating a new credential type, do not use reserved variable names that start with ANSIBLE_
for the INPUT and INJECTOR names and IDs, as they are invalid for custom credential types.
In the Input Configuration field, specify an input schema which defines a set of ordered fields for that type. The format can be in YAML or JSON, as shown:
YAML
fields: - type: string id: username label: Username - type: string id: password label: Password secret: true required: - username - passwordView more YAML examples at http://www.yaml.org/start.html.
JSON
{ "fields": [ { "type": "string", "id": "username", "label": "Username" }, { "secret": true, "type": "string", "id": "password", "label": "Password" } ], "required": ["username", "password"] }View more JSON examples at www.json.org.
The configuration in JSON format below show each field and how they are used:
{ "fields": [{ "id": "api_token", # required - a unique name used to # reference the field value "label": "API Token", # required - a unique label for the # field "help_text": "User-facing short text describing the field.", "type": ("string" | "boolean") # defaults to 'string' "choices": ["A", "B", "C"] # (only applicable to `type=string`) "format": "ssh_private_key" # optional, can be used to enforce data # format validity for SSH private key # data (only applicable to `type=string`) "secret": true, # if true, the field value will be encrypted "multiline": false # if true, the field should be rendered # as multi-line for input entry # (only applicable to `type=string`) },{ # field 2... },{ # field 3... }], "required": ["api_token"] # optional; one or more fields can be marked as required },
When type=string
, fields can optionally specify multiple choice options:
{ "fields": [{ "id": "api_token", # required - a unique name used to reference the field value "label": "API Token", # required - a unique label for the field "type": "string", "choices": ["A", "B", "C"] }] },
In the Injector Configuration field, enter environment variables or extra variables that specify the values a credential type can inject. The format can be in YAML or JSON (see examples in the previous step). The configuration in JSON format below show each field and how they are used:
{
"file": {
"template": "[mycloud]\ntoken={{ api_token }}"
},
"env": {
"THIRD_PARTY_CLOUD_API_TOKEN": "{{ api_token }}"
},
"extra_vars": {
"some_extra_var": "{{ username }}:{{ password }}"
}
}
Credential Types can also generate temporary files to support .ini files or certificate/key data:
{
"file": {
"template": "[mycloud]\ntoken={{ api_token }}"
},
"env": {
"MY_CLOUD_INI_FILE": "{{ tower.filename }}"
}
}
In this example, Tower will write a temporary file that contains:
[mycloud]\ntoken=SOME_TOKEN_VALUE
The absolute file path to the generated file will be stored in an environment variable named MY_CLOUD_INI_FILE
.
An example of referencing multiple files in a custom credential template is as follows:
Inputs
{
"fields": [{
"id": "cert",
"label": "Certificate",
"type": "string"
},{
"id": "key",
"label": "Key",
"type": "string"
}]
}
Injectors
{
"file": {
"template.cert_file": "[mycert]\n{{ cert }}",
"template.key_file": "[mykey]\n{{ key }}"
},
"env": {
"MY_CERT_INI_FILE": "{{ tower.filename.cert_file }}",
"MY_KEY_INI_FILE": "{{ tower.filename.key_file }}"
}
}
Click Save when done.
Scroll down to the bottom of the screen and your newly created credential type appears on the list of credential types:
Click to modify or to remove the credential type options under the Actions column.
Note
If deleting a credential type that is being used by a credential, you must delete the credential type from all the credentials that use it before you can delete it. Below is an example of such a message:
Verify that the newly created credential type can be selected from the Credential Type selection window when creating a new credential:
For details on how to create a new credential, see Credentials.
Users and admins upload machine and cloud credentials to Tower so that it can access machines and external services on their behalf. By default, sensitive credential values (such as SSH passwords, SSH private keys, API tokens for cloud services) in Tower are stored in the database after being encrypted. With external credentials backed by credential plugins, you can map credential fields (like a password or an SSH Private key) to values stored in a secret management system instead of providing them to Tower directly. Ansible Tower provides a secret management system that include integrations for:
CyberArk Application Identity Manager (AIM)
CyberArk Conjur
HashiCorp Vault Key-Value Store (KV)
HashiCorp Vault SSH Secrets Engine
Microsoft Azure Key Management System (KMS)
These external secret values will be fetched prior to running a playbook that needs them. For more information on specifying these credentials in the Tower User Interface, see Credentials.
When configuring Tower to pull a secret from a 3rd-party system, it is in essence linking credential fields to external systems. To link a credential field to a value stored in an external system, select the external credential corresponding to that system and provide metadata to look up the desired value. The metadata input fields are part of the external credential type definition of the source credential.
Tower provides a credential plugin interface for developers, integrators, admins, and power-users with the ability to add new external credential types to Tower so it can be extended to support other secret management systems. For more detail, see the development docs for credential plugins.
Use the Ansible Tower User Interface to configure and use each of the supported 3-party secret management systems.
First, create an external credential for authenticating with the secret management system. At minimum, provide a name for the external credential and select one of the following for the Credential Type:
Navigate to the credential form of the target credential and link one or more input fields to the external credential along with metadata for locating the secret in the external system. In this example, the Demo Credential is the target credential.
For any of the fields below the Type Details area that you want to link to the external credential, click the button of the input field. You are prompted to set the input source to use to retrieve your secret information.
Select the credential you want to link to, and click Next. This takes you to the Metadata tab of the input source. This example shows the Metadata prompt for HashiVault Secret Lookup.
The metadata required depends on the input source selected:
Input Source | Metadata | Description |
---|---|---|
CyberArk AIM | Object Query (Required) | Lookup query for the object. |
Object Query Format | Select | |
Reason | If required per the object’s policy, supply a reason for checking out the secret, as CyberArk logs those. | |
CyberArk Conjur | Secret Identifier | The identifier for the secret. |
Secret Version | Specify a version of the secret, if necessary, otherwise, leave it empty to use the latest version. | |
HashiVault Secret Lookup | Name of Secret Backend | Specify the name of the KV backend to use. Leave it blank to use the first path segment of the Path to Secret field instead. |
Path to Secret (required) | Specify the path to where the secret information is stored (e.g., /path/username). | |
Key Name (required) | Specify the name of the key to look up the secret information. | |
Secret Version (V2 Only) | Specify a version if necessary, otherwise, leave it empty to use the latest version. | |
HashiCorp Signed SSH | Unsigned Public Key (required) | Specify the public key of the cert you want to get signed. It needs to be present in the authorized keys file of the target host(s). |
Path to Secret (required) | Specify the path to where the secret information is stored (e.g., /path/username). | |
Role Name (required) | A role is a collection of SSH settings and parameters that are stored in Hashi vault. Typically, you can specify a couple of them with different privileges, timeouts, etc. So you could have a role that is allowed to get a cert signed for root, and other less privileged ones, for example. | |
Valid Principals | Specify a user (or users) other than the default, that you are requesting vault to authorize the cert for the stored key. Hashi vault has a default user for whom it signs (e.g., ec2-user). | |
Azure KMS | Secret Name (required) | The actual name of the secret as it is referenced in Azure’s Key vault app. |
Secret Version | Specify a version of the secret, if necessary, otherwise, leave it empty to use the latest version. |
Click Test to verify connection to the secret management system. If the lookup is unsuccessful, an error message like this one displays:
When done, click OK. This closes the prompt window and returns you to the Details screen of your target credential. Repeat these steps, starting with step 3 above to complete the remaining input fields for the target credential. By linking the information in this manner, Tower retrieves sensitive information, such as username, password, keys, certificates, and tokens from the 3rd-party management systems and populates that data into the remaining fields of the target credential form.
If necessary, supply any information manually for those fields that do not use linking as a way of retrieving sensitive information. Refer to the appropriate Credential Types for more detail about each of the fields.
Click Save when done.
You need the CyberArk Central Credential Provider web service running to store secrets in order for this integration to work. When CyberArk AIM Credential Provider Lookup is selected for Credential Type, provide the following metadata to properly configure your lookup:
CyberArk AIM URL (required): provide the URL used for communicating with CyberArk AIM’s secret management system
Application ID (required): specify the identifier given by CyberArk AIM services
Client Key: paste the client key if provided by CyberArk
Client Certificate: include the BEGIN CERTIFICATE
and END CERTIFICATE
lines when pasting the certificate, if provided by CyberArk
Verify SSL Certificates: this option is only available when the URL uses HTTPS. Check this option to allow Tower to verify the server’s SSL certificate is valid and trusted. Environments that use internal or private CA’s should leave this option unchecked to disable verification.
Below shows an example of a configured CyberArk AIM credential.
When CyberArk Conjur Secret Lookup is selected for Credential Type, provide the following metadata to properly configure your lookup:
Conjur URL (required): provide the URL used for communicating with CyberArk Conjur’s secret management system
API Key (required): provide the key given by your Conjur admin
Account (required): the organization’s account name
Username (required): the specific authenticated user for this service
Public Key Certificate: include the BEGIN CERTIFICATE
and END CERTIFICATE
lines when pasting the public key, if provided by CyberArk
Below shows an example of a configured CyberArk Conjur credential.
When HashiCorp Vault Secret Lookup is selected for Credential Type, provide the following metadata to properly configure your lookup:
Server URL (required): provide the URL used for communicating with HashiCorp Vault’s secret management system
Token (required): specify the access token used to authenticate HashiCorp’s server
API Version (required): select v1 for static lookups and v2 for versioned lookups
Below shows an example of a configured HashiCorp KV credential.
When HashiCorp Vault Signed SSH is selected for Credential Type, provide the following metadata to properly configure your lookup:
Server URL (required): provide the URL used for communicating with HashiCorp Signed SSH’s secret management system
Token (required): specify the access token used to authenticate HashiCorp’s server
Below shows an example of a configured HashiCorp SSH Secrets Engine credential.
When Microsoft Azure Key Vault is selected for Credential Type, provide the following metadata to properly configure your lookup:
Vault URL (DNS Name) (required): provide the URL used for communicating with MS Azure’s key management system
Client ID (required): provide the identifier as obtained by the Azure Active Directory
Client Secret (required): provide the secret as obtained by the Azure Active Directory
Tenant ID (required): provide the unique identifier that is associated with an Azure Active Directory instance within an Azure subscription
Below shows an example of a configured Microsoft Azure KMS credential.
Creating and configuring token-based authentication for external applications is available starting in Ansible Tower 3.3. This makes it easier for external applications such as ServiceNow and Jenkins to integrate with Ansible Tower. OAuth 2 allows you to use tokens to share certain data with an application without disclosing login information, and furthermore, these tokens can be scoped as “read-only”. In Tower, you create an application that is representative of the external application you are integrating with, then use it to create tokens for that application to use on behalf of the users of the external application.
Having these Tower-issued tokens associated to an application resource gives you the ability to manage all tokens issued for a particular application more easily. By separating token issuance under Applications, you can revoke all tokens based on the Application without having to revoke all tokens in the system.
When integrating an external web app with Ansible Tower that web app may need to create OAuth2 Tokens on behalf of users in that other web app. Creating an application in Tower with the Authorization Code grant type is the preferred way to do this because:
external applications can obtain a token from Tower for users, using their credentials
compartmentalized tokens issued for a particular application, allows those tokens to be easily managed (revoke all tokens associated with that application, for example)
Access the Applications page by clicking the Applications () icon from the left navigation bar. The Applications page displays a search-able list of all available Applications currently managed by Tower and can be sorted by Name.
If no other applications exist, only a gray box with a message to add applications displays.
Token-based authentication for users can be configured in the Applications window.
In the Ansible Tower User Interface, click the Applications () icon from the left navigation bar.
The Applications window opens.
Click the button located in the upper right corner of the Applications window.
The New Application window opens.
Enter the following details in Create New Application window:
Name (required): provide a name for the application you want to create
Description: optionally provide a short description for your application
Organization (required): provide an organization for which this application is associated
Authorization Grant Type (required): Select from one of the grant types to use in order for the user to acquire tokens for this application. Refer to grant types in the Applications section of the Ansible Tower Administration Guide.
Redirect URIS: Provide a list of allowed URIs, separated by spaces. This is required if you specified the grant type to be Authorization code.
Client Type (required): Select the level of security of the client device
When done, click Save or Cancel to abandon your changes
Selecting the Tokens view displays a list of the users that have tokens to access the application.
Tokens can only access resources that its associated user can access, and can be limited further by specifying the scope of the token.
Tokens are added through the Users screen and can be associated with an application at that time. Specifying an application can be performed directly in the User’s token settings. You can create a token for your user in the Tokens configuration tab, meaning only you can create and see your tokens in your own user screen. To add a token:
Access the Users list view by clicking the Users () icon from the left navigation bar then click on your user to configure your OAuth 2 tokens.
Note:
You can only create OAuth 2 Tokens for your user via the API or UI, which means you can only access your own user profile in order to configure or view your tokens. If you are an admin and need to create or remove tokens for other users, see the revoke and create commands in the Token and session management section of the Ansible Tower Administration Guide.
Click the Tokens tab from your user’s profile.
When no tokens are present, the Tokens screen prompts you to add them:
Click the button, which opens the Create Token window.
Enter the following details in Create Token window:
Application: enter the name of the application with which you want to associate your token. Alternatively, you can search for it by clicking the button. This opens a separate window that allows you to choose from the available options. Use the Search bar to filter by name if the list is extensive. Leave this field blank if you want to create a Personal Access Token (PAT) that is not linked to any application.
Description: optionally provide a short description for your token.
Scope (required): specify the level of access you want this token to have.
When done, click Save or Cancel to abandon your changes.
After the token is saved, the newly created token for the user displays with the token information and when it expires.
Note:
This is the only time the token value and associated refresh token value will ever be shown.
In the user’s profile, the application for which it is assigned to and its expiration displays in the token list view.
To verify the application in the example above now shows the user with the appropriate token, go to the Tokens tab of the Applications window:
PCC-IT International, Division of Power Capital Management, Inc. © 2024 All rights reserved.