Hi,
I’m currently playing with the ansible collection to get and create ressources on my self-hosted (docker) passbolt. I’m trying to run the tasks given in the “passbolt/lab-passbolt-ansible-poc”.
Viewing a resource is working well as you can see here:
“GET /secrets/resource/55e3d90e-b1b1-4ff8-84d4-97bd8188791d.json HTTP/1.1” 200 1911 “-” “python-httpx/0.23.3”
But when i try to create a new one, i got a 403 error code on the POST request:
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “POST /auth/login.json HTTP/1.1” 200 4030 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET /users/me.json HTTP/1.1” 200 4049 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET / HTTP/1.1” 200 1198 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET /resource-types.json HTTP/1.1” 200 3388 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET /resources.json HTTP/1.1” 200 1126 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET /users/ecb21632-2921-4a4d-96c6-7fa9eb4fe9c3.json HTTP/1.1” 200 4083 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:48 +0000] “POST /resources.json HTTP/1.1” 403 303 “-” “python-httpx/0.23.3”
As you can see, the previous request to authenticate the user and check if the resource already exists seems to success. What’s more, this user is admin so I can’t figure out why it is forbidden.
Is it safe to use the ansible collection ? It depends on the py-passbolt python module and seems to be experimental, I can’t find many documentation on it or other examples, am I the only one to use it ? I don’t know if this is better to not use it at all.
Thanks for your help ! 
Hi,
Thanks yo giving a try to this ansible collection. Can you share the playbook you are using to create your resource ?
Did you set the PASSBOLT_CREATE_NEW_RESOURCE environnement variable to true like in the exemple playbook https://github.com/passbolt/lab-passbolt-ansible-poc/blob/main/playbooks/example-playbook.yml ?
Regards,
Here is the playbook:
- hosts: all
gather_facts: no
vars_files:
- keys.yml
environment:
PASSBOLT_BASE_URL: “https://localhost:443”
PASSBOLT_PRIVATE_KEY: “{{ private_key }}”
PASSBOLT_PASSPHRASE: “{{ passphrase }}”
PASSBOLT_CREATE_NEW_RESOURCE: ‘true’
PASSBOLT_NEW_RESOURCE_PASSWORD_LENGTH: 12
PASSBOLT_NEW_RESOURCE_PASSWORD_SPECIAL_CHARS: true
tasks:
- name: Get
debug:
msg: ‘{{ lookup(“passbolt”, “OVH”) }}’
- name: Create
debug:
var: lookup(‘passbolt’, ‘test’, password=‘PASSWORD1234’)
And here the output:
TASK [Get] ********************************************************************************************************************************************************************************************************
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:192: CryptographyDeprecationWarning: IDEA has been deprecated
bs = {SymmetricKeyAlgorithm.IDEA: algorithms.IDEA,
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:194: CryptographyDeprecationWarning: CAST5 has been deprecated
SymmetricKeyAlgorithm.CAST5: algorithms.CAST5,
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:195: CryptographyDeprecationWarning: Blowfish has been deprecated
SymmetricKeyAlgorithm.Blowfish: algorithms.Blowfish,
ok: [local1] => {
“msg”: {
“created”: “2023-10-22T16:12:02+00:00”,
“deleted”: false,
“description”: “”,
“folder_parent_id”: null,
“modified”: “2023-10-22T16:12:02+00:00”,
“modified_by”: “ecb21632-2921-4a4d-96c6-7fa9eb4fe9c3”,
“name”: “OVH”,
“password”: “the_password”,
“personal”: true,
“resource_type_id”: “a28a04cd-6f53-518a-967c-9963bf9cec51”,
“uri”: “”,
“username”: “choco”
}
}
TASK [Create] *****************************************************************************************************************************************************************************************************
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:192: CryptographyDeprecationWarning: IDEA has been deprecated
bs = {SymmetricKeyAlgorithm.IDEA: algorithms.IDEA,
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:194: CryptographyDeprecationWarning: CAST5 has been deprecated
SymmetricKeyAlgorithm.CAST5: algorithms.CAST5,
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:195: CryptographyDeprecationWarning: Blowfish has been deprecated
SymmetricKeyAlgorithm.Blowfish: algorithms.Blowfish,
ok: [local1] => {
“lookup(‘passbolt’, ‘test’, password=‘PASSWORD1234’)”: {
“created”: “”,
“deleted”: “”,
“description”: “”,
“folder_parent_id”: “”,
“modified”: “”,
“modified_by”: “”,
“name”: “”,
“password”: “”,
“personal”: “”,
“resource_type_id”: “”,
“uri”: “”,
“username”: “”
}
}
The output shows an empty resource with OK status but in the docker logs I can clearly see the 403 error code from the server on the POST request (cf first post output)
regards,
But when I set PASSBOLT_CREATE_NEW_RESOURCE to ‘false’, it tells me that the resource doesn’t exist:
fatal: [local1]: FAILED! => {“msg”: “An unhandled exception occurred while running the lookup plugin ‘passbolt’. Error was a <class ‘Exception’>, original message: resource test not found. resource test not found”}
I’m not able to reproduce your issue, I used the docker environment and playbook from GitHub - passbolt/lab-passbolt-ansible-poc without issue.
In the playbook, the password is randomly generated, but you can force the password as you set in your ecample. I got no issue on my side.
Can you tell me more about your environment where you are running ansible, how did you setup your ansible environment and give me the output of these commands?
cat /etc/os-release
pip list
ansible --version
ansible-galaxy collection list
Can you also use this icon to format your code?
Because it is very hard to read your code snippets.
Thanks and regards,
1 Like
Having same problem as described, playbook able to fetch passwords, but not able to create passwords if it doesn’t exists, PASSBOLT_CREATE_NEW_RESOURCE=“true”.
I checked your previous comment where you are using image: passbolt/passbolt:latest , But i got into this problem with image: passbolt/passbolt:latest-ce
Hi @basan12 and welcome to passbolt community forum 
passbolt/passbolt:latest and passbolt/passbolt:latest-ce are the same image.
Can you tell me more about your environment where you are running ansible, how did you setup your ansible environment and give me the output of these commands?
cat /etc/os-release
pip list
ansible --version
ansible-galaxy collection list
Cheers,
1 Like