Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ansible module fails when using keeper_config variable #573

Open
mhexp opened this issue Feb 21, 2024 · 3 comments
Open

Ansible module fails when using keeper_config variable #573

mhexp opened this issue Feb 21, 2024 · 3 comments

Comments

@mhexp
Copy link

mhexp commented Feb 21, 2024

I'm trying to retrieve a field from a record using Ansible collection keepersecurity.keeper_secrets_manager version 1.2.2 and Ansible version 2.16.3.

Per the docs I want to use a base64 encoded KSM config and am trying to use the keeper_config variable to do so, but it's resulting in an error. The play is reading the base64 encoded KSM_CONFIG string from environment variable KSM_CONFIG_RUNNER like so:

$ echo $KSM_CONFIG_RUNNER
eyJob3N0b ... QnM9In0=

Ansible playbook:

---
- name: Add users to DB after schema applied
  hosts: all
  roles:
    - mariadb-users

And the role tasks:

---
- name: Fetch password
  vars:
    keeper_config: "{{ lookup('ansible.builtin.env', 'KSM_CONFIG_RUNNER') }}"
  keepersecurity.keeper_secrets_manager.keeper_get:
    uid: "{{ record_uid }}"
    field: "password"
  register: got_password

- name: Show var
  ansible.builtin.debug:
    var: got_password

The response I'm getting is:

TASK [mariadb-users : Fetch password] ***************************************************************************************************************************************
task path: /path/to/ansible/roles/mariadb-users/tasks/main.yml:9
Keeper Secrets Manager is not using a DR file cache.
Loading keeper config from Ansible vars.
Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
fatal: [inventory-hostname]: FAILED! => {
    "msg": "Keeper Ansible error: object of type 'NoneType' has no len()"
}

What I expect to see is no failure and the retrieved result to be printed to the console.

@mhexp
Copy link
Author

mhexp commented Feb 21, 2024

Note that if I put the base64 blob into the code as follows, it works. Something about the environment variable lookup is causing the issue?? Apologies in advance if this turns out not to be an issue with the Ansible collection.

Role:

---
- name: Fetch password
  vars:
    keeper_config: "eyJob3N0b...QnM9In0="
  keepersecurity.keeper_secrets_manager.keeper_get:
    uid: "{{ record_uid }}"
    field: "password"
  register: got_password

- name: Show var
  ansible.builtin.debug:
    var: got_password

And its successful output:

TASK [mariadb-users : Fetch password] ***************************************************************************************************************************************
ok: [inventory-hostname]

TASK [mariadb-users : Show var] *****************************************************************************************************************************************************
ok: [inventory-hostname] => {
    "got_password": {
        "changed": false,
        "failed": false,
        "value": "the_password"
    }
}

@mhexp
Copy link
Author

mhexp commented Feb 21, 2024

Also note, using set_fact works but setting vars on the play does not.

- name: Import KSM_CONFIG from environment
  set_fact:
     keeper_config: "{{ lookup('ansible.builtin.env', 'KSM_CONFIG_RUNNER') }}"

- name: Fetch password
  keepersecurity.keeper_secrets_manager.keeper_get:
    uid: "{{ record_uid }}"
    field: "password"
  register: the_password

@jwalstra-keeper
Copy link
Contributor

It looks like you cannot lookup in the vars section, for our plugin. When the plugin initializes the task step, it is getting "" from lookup('ansible.builtin.env', 'KSM_CONFIG_RUNNER'). This will throw the FAILED! => {"msg": "Keeper Ansible error: object of type 'NoneType' has no len()"} error.

It looks like some internals of Ansible haven't populated the env value for the lookup to get the value at the point where the plugin uses the config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants