I’m trying to use the anatomicjc.passbolt collection in our Ansible setup. We use Ansible in combination with AWX and have the collection as well as py-passbolt installed in the AWX Ansible Execution Environment.
The URL/Private key and pasphrase are set up as a Credential type within AWX, which exposes those strings as environment variables during the run of the playbook.
My playbook looks like this:
name: Test passbolt lookup plugin
hosts: localhost
gather_facts: no
tasks:
- name: check environment
ansible.builtin.debug:
msg: |
PASSBOLT_BASE_URL: {{ lookup('ansible.builtin.env', 'PASSBOLT_BASE_URL') }}
PASSBOLT_PRIVATE_KEY: {{ lookup('ansible.builtin.env', 'PASSBOLT_PRIVATE_KEY') }}
PASSBOLT_PASSPHRASE: {{ lookup('ansible.builtin.env', 'PASSBOLT_PASSPHRASE') }}
- name: Lookup predefined resource
ansible.builtin.debug:
msg: "Password is: {{ lookup('anatomicjc.passbolt.passbolt', 'Ansible predefined test resource').password }}"
Output:
ansible-playbook [core 2.15.0]
config file = None
configured module search path = ['/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
ansible collection location = /runner/requirements_collections:/runner/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible-playbook
python version = 3.9.18 (main, Sep 7 2023, 00:00:00) [GCC 11.4.1 20230605 (Red Hat 11.4.1-2)] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
No config file found; using defaults
Vault password:
host_list declined parsing /runner/inventory/hosts as it did not pass its verify_file() method
Parsed /runner/inventory/hosts inventory source with script plugin
Skipping callback 'awx_display', as we already have a stdout callback.
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: passbolt-test.yml ****************************************************
1 plays in passbolt-test.yml
PLAY [Test passbolt lookup plugin] *********************************************
TASK [check environment] *******************************************************
task path: /runner/project/passbolt-test.yml:6
ok: [localhost] => {
"msg": "PASSBOLT_BASE_URL: https://passbolt.domain.name\\nPASSBOLT_PRIVATE_KEY: -----BEGIN PGP PRIVATE KEY BLOCK-----\\\\n\\\\nXXXXXXXXXXXX\\\\nXXXXXXXXXXXX\\\\n....\\\\n-----END PGP PRIVATE KEY BLOCK-----\\nPASSBOLT_PASSPHRASE: XXXXXXX\\n"
}
TASK [Lookup predefined resource] **********************************************
task path: /runner/project/passbolt-test.yml:12
exception during Jinja2 execution: Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/ansible/template/__init__.py", line 831, in _lookup
ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
File "/usr/share/ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/passbolt.py", line 278, in run
self.passbolt_init(variables, kwargs)
File "/usr/share/ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/passbolt.py", line 248, in passbolt_init
self.p = PassboltAPI(dict_config=self.dict_config)
File "/usr/local/lib/python3.9/site-packages/passbolt/__init__.py", line 28, in __init__
self.key, _ = PGPKey.from_blob(self.config.get("private_key"))
File "/usr/local/lib/python3.9/site-packages/pgpy/types.py", line 195, in from_blob
po = obj.parse(bytearray(blob, 'latin-1'))
TypeError: encoding without a string argument
fatal: [localhost]: FAILED! => {
"msg": "An unhandled exception occurred while running the lookup plugin 'anatomicjc.passbolt.passbolt'. Error was a <class 'TypeError'>, original message: encoding without a string argument. encoding without a string argument"
}
PLAY RECAP *********************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
As you can see, the environment variables are set and readable by ansible.builtin.env
(replaced sensitive strings here for posting). But somehow it seems not to be picked up correctly by anatomicjc.passbolt or py-passbolt as the error tells me that the passed blob coming from self.config.get("private_key")
is not a string?
Any idea what could be going wrong here ?