CyberArk Conjur Secret Lookup - Ansible

Hi Everyone,

Is there CyberArk documentation around the Ansible Tower / Conjur integration for the below?

https://docs.ansible.com/ansible-tower/latest/html/userguide/credential_plugins.html#cyberark-conjur-secret-lookup

We’re attempting to do this right now and have been encountering some issues. I was hoping there was some more in depth information as the link above is a little light.

Hey @Mitch

Our Ansible docs are located here

We’ve also recently migrated our conjur_variable lookup plugin to a new Conjur collection - the source for that is here.

Can you share more details about the issue you’re running into? It may help us to improve the documentation for the next person who is following it.

Thanks!

@Mitch,

Are you on Ansible Tower 3.5.1 or above? If so (or if not, too), I’ll be hosting a webinar relevant to you on Thursday at DevOps.com:

Feel free to sign up and I’ll be giving a live demo on integrating and using CyberArk Conjur natively with Ansible Tower.

Red Hat Ansible Automation Platform Integration.docx (543.2 KB)

@Mitch,

I’ve also included full documentation based on my experience. This isn’t available on our documentation yet, but is undergoing the process for being added.

@joe.garcia I just signed up! Looking forward to it.

This documentation is definitely valuable so thank you for forwarding this along. Everything we’ve set up on our side checks out against this so we’ll look at some logs to troubleshoot further but it’s valuable to know we’re on the right track.

Thanks!

1 Like

Hey @izgerij - We’re trying to use the CyberArk Conjur Secret Lookup shipped with our version of Ansible. When we try to look up a secret using a host/API key combo outside of Ansible (ex. REST call via Powershell / Curl) it works fine but when we use the Lookup plugin from the Tower UI the test fails.

I suspect a certificate issue but we’re going to try to take a closer look at some logs to see exactly what’s going on under the hood.

1 Like

Hi Mitch,

Could you provide the secret ID you are using? (I do not need the secret value just the ID)

You can obtain the conjur certificate by performing the command below:

openssl s_client -showcerts -connect <conjur_host_name>:443 < /dev/null 2> /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Make sure the <conjur_host_name> is the host name of the instance you are connecting to from Ansible Tower. Also do not include https:// or http://. This command should print out a certificate chain with 2 certificates.

Thanks,
Andrew

Hi @Mitch,

Once you take a closer look, can you share errors and more information from the logs?
Also, are we talking Ansible Tower, or Core? From your description it looks like you are referring to the Conjur Secret lookup plugin and running it from core (not Tower), just verifying.

Thanks,

-Edward

Hi @enunez and @AndrewCopeland,

We are running this from Ansible Tower. I ran the command you’ve provided and pulled the cert chain but it was the cert chain we were using. I’ve tried analyzing the cert chain and using it in a few different combinations but alas no luck.

Here are some logs from the Ansible side:

2020-05-26 21:28:20,554 WARNING awx.api.generics status 403 received by user attempting to access /api/v2/credentials/110/test/ from
2020-05-26 21:28:22,011 WARNING awx.api.generics status 403 received by user attempting to access /api/v2/credentials/110/test/ from

I can’t see anything on the DAP side for logs. I’ve been looking at the nginx access.log and can’t see the expected incoming request from Ansible.

It looks like we aren’t even reaching the part where ansible makes the request to conjur. The error looks like an AWX/Tower issue. I believe this error is returned when you are pressing Test but logged in as a non-root user. I believe this is a Tower/AWX issue. Could you Test under the admin user? If that is not possible could pull the secret from a job?

Thanks,
Andrew

Thanks Andrew. After running it as an admin user the error changed and we received the below. It seems like we’re still not able to make a connection.

2020-05-28 13:56:11,653 WARNING awx.api.generics status 400 received by user admin attempting to access /api/v2/credentials/110/test/ from

Are there any logs on the Ansible side that would help look into the issue?