Using Machine credentials from AAP passed to playbook with ansible.windows.win_copy fails

Question

Using Machine credentials from AAP passed to playbook with ansible.windows.win_copy fails

rbukovansky opened this issue 4 months ago · 3 comments

SUMMARY

Using ansible_become_user and ansible_become_password with ansible.windows.win_copy module with credentials passed from Machine credentials defined in Ansible Automation Platform returns error

ISSUE TYPE

Bug Report

COMPONENT NAME

ansible.windows.win_copy module

ANSIBLE VERSION

ansible-playbook [core 2.15.8]
  config file = /runner/project/ansible.cfg
  configured module search path = ['/home/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/home/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.9.18 (main, Sep 22 2023, 17:58:34) [GCC 8.5.0 20210514 (Red Hat 8.5.0-20)] (/usr/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

ansible.windows 2.2.0

CONFIGURATION

Unable to gather, restricted access to Ansible Automation Platform.

OS / ENVIRONMENT

RH Ansible Automation Platform

STEPS TO REPRODUCE

1] Add Machine credentials in AAP (just username and password)
2] Add these credentials to Job Template
3] Try to use "ansible_user" and "ansible_password" facts (where the credentials are passed) with ansible.windows.win_copy module

- name: "Debug ansible_user"
  ansible.builtin.debug:
    msg: "{{ ansible_user }}"

- name: "Copy result file to windows share"
  ansible.windows.win_copy:
    src: "{{ results_pathname }}"
    dest: "{{ win_share_target_path }}\\"
  vars:
    ansible_become_user: "{{ ansible_user }}"
    ansible_become_password: "{{ ansible_password }}"
    ansible_remote_tmp: 'c:\tmp'

EXPECTED RESULTS

File is copied to target share

ACTUAL RESULTS

File is not copied over, instead I'm getting this error:

TASK [Debug ansible_user] ******************************************************
task path: /runner/project/include/transfer_to_share.yml:6
ok: [localhost] => {
    "msg": "ta2nabb"
}

TASK [Copy result file to windows share] ************************************
task path: /runner/project/include/transfer_to_share.yml:19
fatal: [localhost]: FAILED! => {
    "msg": "The field 'become_user' has an invalid value, which includes an undefined variable. The error was: {{ ansible_user }}: 'ansible_user' is undefined. 'ansible_user' is undefined. {{ ansible_user }}: 'ansible_user' is undefined. 'ansible_user' is undefined. {{ ansible_user }}: 'ansible_user' is undefined. 'ansible_user' is undefined. {{ ansible_user }}: 'ansible_user' is undefined. 'ansible_user' is undefined"
}

Answer 1 · 2024-05-24T09:33:44.000Z

So, setting facts with the same name "ansible_user" and "ansible_password" solves this issue:

- name: "Set ansible_user and ansible_password facts"
  ansible.builtin.set_fact:
    ansible_user: "{{ ansible_user }}"
    ansible_password: "{{ ansible_password }}"

But why?

Answer 2 · 2024-06-03T03:33:37.000Z

The error would seem to indicate that the value has some sort of recursive template happening. I'm not sure how Controller sets those connection vars but I believe there are a few other possible options available to use here

Use the lookup('config') plugin to lookup the vars based on the connection plugin

This will go through the same config system as the connection plugin used to get the value requested. In this case you would want something like

- ansible.windows.win_ping:
  become: true
  become_method: runas
  vars:
    ansible_become_user: '{{ lookup("config", "remote_user", plugin_type="connection", plugin_name=ansible_connection) }}'
    ansible_become_pass: '{{ lookup("config", "remote_password", plugin_type="connection", plugin_name=ansible_connection) }}'

The config option is derived from the documented options under the connection plugin, for example with winrm you can see these options under its documentation. The downside of this approach is that it's a lot more verbose.

Use the become machine credential in Controller

This is done through a machine credential where you can configure the relevant privilege escalation sections to set the required variables https://docs.ansible.com/automation-controller/4.0.0/html/userguide/credentials.html#machine. This would be my recommended approach when using Controller/Tower/AWX here.