Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inventory Plugin ignores ANSIBLE_AZURE_AUTH_SOURCE, AZURE_CLIENT_ID env variables #712

Closed
kingsleyadam opened this issue Dec 20, 2021 · 4 comments · Fixed by #713
Closed

Inventory Plugin ignores ANSIBLE_AZURE_AUTH_SOURCE, AZURE_CLIENT_ID env variables #712

kingsleyadam opened this issue Dec 20, 2021 · 4 comments · Fixed by #713
Labels
bug Something isn't working has_pr PR fixes have been made medium_priority Medium priority new_feature New feature requirments

Comments

@kingsleyadam
Copy link
Contributor

SUMMARY

When setting the environment variable ANSIBLE_AZURE_AUTH_SOURCE the inventory plugin ignores the setting and reverts to using the auto auth source which if nothing else is set, reverts to cli.

Also, when setting auth_source: msi we should also be able to set the AZURE_CLIENT_ID environment variable to tell the auth mechanism which user assigned identity to use (if multiple set) when authenticating with managed identities.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

plugin: azure.azcollection.azure_rm

ANSIBLE VERSION
ansible 2.9.27
  config file = /opt/ansible-repo/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/stackstorm/virtualenvs/ansible/lib/python3.8/site-packages/ansible
  executable location = /opt/stackstorm/virtualenvs/ansible/bin/ansible
  python version = 3.8.10 (default, Sep 28 2021, 16:10:42) [GCC 9.3.0]
COLLECTION VERSION
v1.10.0
CONFIGURATION
ANSIBLE_PIPELINING(/opt/ansible-repo/ansible.cfg) = True
COLLECTIONS_PATHS(/opt/ansible-repo/ansible.cfg) = ['/root/.ansible/collections', '/opt/ansible-repo/collections']
DEFAULT_FORKS(/opt/ansible-repo/ansible.cfg) = 50
DEFAULT_HOST_LIST(/opt/ansible-repo/ansible.cfg) = ['/opt/ansible-repo/hosts']
DEFAULT_LOOKUP_PLUGIN_PATH(/opt/ansible-repo/ansible.cfg) = ['/root/.ansible/plugins/lookup', '/usr/share/ansible/plugins/lookup', '/opt/ansible-repo/lookup_plugins']
DEFAULT_ROLES_PATH(/opt/ansible-repo/ansible.cfg) = ['/root/.ansible/roles', '/opt/ansible-repo/roles']
DEFAULT_SCP_IF_SSH(/opt/ansible-repo/ansible.cfg) = True
DEFAULT_TIMEOUT(/opt/ansible-repo/ansible.cfg) = 30
HOST_KEY_CHECKING(/opt/ansible-repo/ansible.cfg) = False
HOST_PATTERN_MISMATCH(/opt/ansible-repo/ansible.cfg) = ignore
INVENTORY_ENABLED(/opt/ansible-repo/ansible.cfg) = ['amazon.aws.aws_ec2', 'amazon.aws.aws_rds', 'azure.azcollection.azure_rm', 'constructed', 'ini', 'yaml', 'host_list']
RETRY_FILES_SAVE_PATH(/opt/ansible-repo/ansible.cfg) = /root
OS / ENVIRONMENT
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.3 LTS
Release:	20.04
Codename:	focal
STEPS TO REPRODUCE

Inventory Plugin Example

---
plugin: azure.azcollection.azure_rm
# auth_source: cli # Set this with environment variable ANSIBLE_AZURE_AUTH_SOURCE
include_vm_resource_groups:
  - '*'
hostnames:
  - default
exclude_host_filters:
  - powerstate != 'running'
hostvar_expressions:
  ansible_host: private_ipv4_addresses | first

Environment Variables

export ANSIBLE_AZURE_AUTH_SOURCE=msi
export AZURE_CLIENT_ID=<user assigned client id>

Playbook

---
- hosts: all
  tasks:
    - name: Ping hosts
      ping:
EXPECTED RESULTS

I would expect the inventory plugin to use MSI authentication with the AZURE_CLIENT_ID specified in the environment variable.

ACTUAL RESULTS

MSI authentication is being ignored and it fails to find any authentication mechanisms if the azure cli is not logged in.

Using /opt/ansible-repo/ansible.cfg as config file
[WARNING]:  * Failed to parse /opt/ansible-repo/inventory/ops-az/azure_rm.yml with ansible_collections.azure.azcollection.plugins.inventory.azure_rm plugin: Failed to get credentials. Either pass as parameters, set environment
variables, define a profile in ~/.azure/credentials, or log in with Azure CLI (`az login`).
@kingsleyadam kingsleyadam mentioned this issue Dec 20, 2021
Merged
@rvolz
Copy link

rvolz commented Feb 14, 2022

The same problem exists with auth_source: env. Setting environment variables AZURE_CLIENT_ID, AZURE_SECRET, AZURE_TENANT and AZURE_SUBSCRIPTION_ID leads to warning messages and then reverts to cli auth, as mentioned above.

Tested with ansible 2.12.1 and azcollection 1.10.0

@xuzhang3 xuzhang3 added the bug Something isn't working label Apr 18, 2022
@testotxt
Copy link

hi, any news on this?
on azure.azcollection 1.12.0 this problems seems to be still there

Thanks

@Fred-sun
Copy link
Collaborator

@testotxt #713 still needs to be improved, it can't be merged yet! Thank you very much!

@Fred-sun Fred-sun added has_pr PR fixes have been made medium_priority Medium priority new_feature New feature requirments labels Jul 30, 2022
@kingsleyadam
Copy link
Contributor Author

@testotxt #713 still needs to be improved, it can't be merged yet! Thank you very much!

@Fred-sun, I've added test cases to the PR. Can we review it again to see if we can merge this in? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working has_pr PR fixes have been made medium_priority Medium priority new_feature New feature requirments
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Respect AZURE_CLIENT_ID, ANSIBLE_AZURE_AUTH_SOURCE on inventory plugin kingsleyadam/azure
5 participants
@rvolz @kingsleyadam @Fred-sun @xuzhang3 @testotxt