如何通过AWX中的(使用)Google SA JSON运行Anisble Playbook,该剧本在GCP中创建/更新/修改VM?
我有一本Ansible-Playbook,它将使用SA及其JSON文件连接到GCP。
我已经在本地下载了JSONN文件,并将路径值提供给“ recertentials_file”。如果我从本地计算机运行剧本,则可以使用。
现在,我想使用AWX运行本剧本,以下是我已经完成的步骤。
- 创建一个凭据。 一个。凭据类型:Google Compute引擎 b。名称:Ansible-GCP秘密 c。在类型详细信息下,我上传了Sajsonn文件,并加载了其余数据,例如SA电子邮件,Project和RSA密钥。
- 创建的项目并同步了我的Git Repo,其中包含我的剧本。
- 创建了一个模板来运行我的剧本。 现在,我不确定如何在AWX中使用GCP SA凭据来运行我的剧本。任何帮助或文档都将有很大帮助。
以下是我的剧本的示例。
- name: Update Machine Type of GCE Instance
hosts: localhost
gather_facts: no
connection: local
vars:
instance_name: ansible-test
machine_type: e2-medium
image: Debian GNU/Linux 11 (bullseye)
zone: us-central1-a
service_account_email: [email protected]
credentials_file: /Users/myuser/ansible/hackthonproject-stg-xxxxx-67d90cb0819c.json
project_id: project-stg-xxxxx
tasks:
- name: Stop(Terminate) a instance
gcp_compute_instance:
name: "{{instance_name}}"
project: "{{ project_id }}"
zone: "{{zone}}"
auth_kind: serviceaccount
service_account_file: "{{ credentials_file }}"
status: TERMINATED
I have an ansible-playbook, which will connect to GCP using SA and its JSON file.
I have downloaded the JSONn file in my local and provided the path value to "credentials_file". this works if I run the playbook from my local machine.
Now, I want to run this playbook using awx and below are the steps I have done.
- Created a Credential.
a. Credential Type: Google Compute Engine
b. name: ansible-gcp-secret
c. under type details, I have uploaded the SAJSONn file and it loaded the rest of the data such as SA email, project and RSA key. - Created project and synched my git repo, which has my playbook.
- Created a template to run my playbook.
Now, I am not sure how to use the GCP SA credentials in AWX to run my playbook. Any help or documentation would greatly help.
Below is example of my playbook.
- name: Update Machine Type of GCE Instance
hosts: localhost
gather_facts: no
connection: local
vars:
instance_name: ansible-test
machine_type: e2-medium
image: Debian GNU/Linux 11 (bullseye)
zone: us-central1-a
service_account_email: [email protected]
credentials_file: /Users/myuser/ansible/hackthonproject-stg-xxxxx-67d90cb0819c.json
project_id: project-stg-xxxxx
tasks:
- name: Stop(Terminate) a instance
gcp_compute_instance:
name: "{{instance_name}}"
project: "{{ project_id }}"
zone: "{{zone}}"
auth_kind: serviceaccount
service_account_file: "{{ credentials_file }}"
status: TERMINATED
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
以下是我们所做的步骤。
在AWX中创建了凭证类型,以从保险库中提取秘密。假设Secret_Type。这将从env键“ vaultkv_secret”中发出。
创建了一个秘密,可以使用type = hc Vault秘密查找的令牌连接到保险柜,name = vault_token
在保管库中创建KV Secret,并提供键和JSON内容作为值。
创建一个模板并使用了秘密“ secret_for_template”。并提供秘密路径和钥匙。
现在,当运行模板时,env var“ vaultkv_secret”将具有JSON文件的内容。我们可以将这些内容保存为文件,并将其用作文件输入到GCP命令中。
Below are the steps we did.
Created credential type in AWX to pull the secrets from the vault. Let's say secret_type. This will give out of env key "vaultkv_secret".
Created a secret to connect to the vault using a token with type=HC Vault secret lookup, name=vault_token
Create a another secret to pull the secret(kv type) from vault with type=custom_vault_puller (this used the first secret create "vault_toke"). Let say name=secret_for_template
Create kv secret in the vault and provide the key and JSON content as value.
Create a template and used the secret "secret_for_template". and provide the secret path and key.
Now, when the template is run, the env var "vaultkv_secret" will have the content of the JSON file. and we can save those content as file and use it as file input to GCP commands.