我已经敲了大约一个星期的头了。
我通过 docker-compose 运行 AWX 并在 EC2 实例上设置。我的部门没有创建 Azure 服务主体的凭据,因此当我等待该请求通过时,我试图让 AWX 通过活动目录凭据向 Azure 进行身份验证。在测试时,为简单起见,我有一个运行 azure_rm_dnsrecordset_facts 的测试任务设置,因此我可以简单地提取 TXT 记录以显示身份验证正在验证。在我的开发机器上,我可以安装 azure cli,运行 az login 并通过 ansible-playbook 命令执行 playbooks 等,它可以工作:我可以看到测试提取了预期的 TXT 记录。但是在 AWX 上我得到了错误。
使用 az login 并将 /root/.azure/ 中的文件复制到 /var/lib/awx/.azure/ 我收到此错误:
{
"_ansible_parsed": false,
"exception": "Traceback (most recent call last):\n File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 113, in <module>\n _ansiballz_main()\n File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 105, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 48, in invoke_module\n imp.load_module('__main__', mod, module, MOD_DESC)\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 202, in <module>\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 198, in main\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 133, in __init__\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/ansible_azure_rm_dnsrecordset_facts_payload.zip/ansible/module_utils/azure_rm_common.py\", line 301, in __init__\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/ansible_azure_rm_dnsrecordset_facts_payload.zip/ansible/module_utils/azure_rm_common.py\", line 1045, in __init__\n File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 383, in __init__\n self.set_token()\n File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 415, in set_token\n raise_with_traceback(AuthenticationError, \"\", err)\n File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrest/exceptions.py\", line 48, in raise_with_traceback\n raise error\nmsrest.exceptions.AuthenticationError: , InvalidGrantError: (invalid_grant) AADSTS50126: Invalid username or password.\r\nTrace ID: 01cd8ac6-1c05-4391-96da-031e0da30500\r\nCorrelation ID: 03f28850-04cf-4344-b405-18594d8845a1\r\nTimestamp: 2019-05-24 20:00:26Z\n",
"_ansible_no_log": false,
"module_stderr": "Traceback (most recent call last):\n File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 113, in <module>\n _ansiballz_main()\n File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 105, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 48, in invoke_module\n imp.load_module('__main__', mod, module, MOD_DESC)\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 202, in <module>\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 198, in main\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 133, in __init__\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/ansible_azure_rm_dnsrecordset_facts_payload.zip/ansible/module_utils/azure_rm_common.py\", line 301, in __init__\n File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/ansible_azure_rm_dnsrecordset_facts_payload.zip/ansible/module_utils/azure_rm_common.py\", line 1045, in __init__\n File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 383, in __init__\n self.set_token()\n File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 415, in set_token\n raise_with_traceback(AuthenticationError, \"\", err)\n File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrest/exceptions.py\", line 48, in raise_with_traceback\n raise error\nmsrest.exceptions.AuthenticationError: , **InvalidGrantError: (invalid_grant) AADSTS50126: Invalid username or password**.\r\nTrace ID: 01cd8ac6-1c05-4391-96da-031e0da30500\r\nCorrelation ID: 03f28850-04cf-4344-b405-18594d8845a1\r\nTimestamp: 2019-05-24 20:00:26Z\n",
"changed": false,
"module_stdout": "",
"rc": 1,
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}
在使用 ad_username、password 和 subscription_id 值作为环境变量时,额外的 vars 和从 Vault 传递到模块中都会导致相同的错误:
{
"_ansible_parsed": true,
"_ansible_no_log": false,
"invocation": {
"module_args": {
"profile": null,
"resource_group": "publicdns**********",
"tags": null,
"cloud_environment": "AzureCloud",
"relative_name": "_acme-challenge",
"record_type": "TXT",
"client_id": null,
"api_profile": "latest",
"adfs_authority_url": null,
"zone_name": "*************",
"password": null,
"tenant": null,
"top": "100",
"append_tags": true,
"ad_user": null,
"cert_validation_mode": null,
"secret": null,
"auth_source": null,
"subscription_id": null
}
},
"changed": false,
"msg": "**Failed to get credentials. Either pass as parameters, set environment variables, define a profile in ~/.azure/credentials, or log in with Azure CLI (`az login`)**."
}
只是我还是这是一个错误?除了我在阅读文档时发现的内容外,我找不到任何可以明确引导您完成设置的内容。我希望这是直截了当的,到目前为止,一切都不是。
这是我最近关注的文档之一:https ://docs.ansible.com/ansible-tower/3.2.6/html/userguide/credentials.html#microsoft-azure-resource-manager
谢谢您的帮助。这是我尝试过的事情的清单:
在 awx_task 和 awx_web 容器中为 AZURE_AD_USER、AZURE_PASSWORD 和 AZURE_SUBSCRIPTION_ID 设置环境变量。
我已将 ad_user、password 和 subscription_id 凭据设置为额外变量。
我已将凭据放在保险库中,并直接传递给 ansible 模块,有和没有 azure_adfs_authority_url。
在 awx_task docker 容器中,我安装了 ansible[azure] 和 azure cli,运行 az login,验证 /root/.azure/azureProfile.json 文件已填充。
我已将文件从 /root/.azure/ 复制到 /var/lib/awx/.azure/ ,这似乎是 AWX 正在寻找这些文件的地方。我还验证了读写权限和文件所有权。
我修改了 Microsoft Azure 资源管理器凭据,但它似乎不是我想要的。
- ON EC2 实例,azure_adfs_authority_url 的 nslookup 显示它正在访问正确的 ADFS 服务器。
谢谢你的帮助