On my local machine I set the following environment vars:
export AWS_ACCESS_KEY='xxxx'
export AWS_SECRET_KEY='xxxx'
export AWS_REGION='us-east-1'
then in a playbook I put this:
...
tasks:
- name: Get some secrets
vars:
db_password: "{{ lookup('amazon.aws.aws_secret', 'DB_PASSWORD') }}"
debug:
msg: "{{ db_password }}"
...
When running the playbook the connection to AWS secrets works just fine, the necessary AWS variables are taken from the environment and I get the proper value in db_password.
When I'm trying to do the same in AWX, I set the above three variables in the section Settings > Job Settings > Extra Environment Variables:
{
"AWS_ACCESS_KEY": "xxx",
"AWS_SECRET_KEY": "xxx",
"AWS_REGION": "us-east-1"
}
Now, when I'm running a playbook from AWX containing the above code "{{ lookup('amazon.aws.aws_secret', 'DB_PASSWORD') }}" I get the error that I need to specify a region and if I set the region manually like "{{ lookup('amazon.aws.aws_secret', 'DB_PASSWORD', region='us-east-1') }}" I get the error that AWX can't find the credentials.
So, for some reason these three variables are not read from the extra environment variables.
To make it work I had to write the following code in the playbook:
region: "{{ lookup('env', 'AWS_REGION') }}"
aws_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY') }}"
aws_secret_key: "{{ lookup('env', 'AWS_SECRET_KEY') }}"
db_password: "{{ lookup('amazon.aws.aws_secret', 'DB_PASSWORD', aws_access_key=aws_access_key, aws_secret_key=aws_secret_key, region=region) }}"
But I don't like this solution and I would prefer to avoid to explicitly set those three vars in the lookup and somehow tell AWX to take these three values from the extra environment variables. Is there any way to achieve this?
