We have an AWX that needs to run playbooks on all servers within our lab.
There are some servers that can't be contacted unless using a bastion.
AWX can successfully run playbooks on the regular servers, but can't do it using jump host.
I will call the server that playbook will be run on it, client. Bastion will be referring to the server in the middle to connect to client.
The way I have it set up is that I have a set of username/password for the client that is saved as machine credentials in AWX.
I also have a custom credential type created as follow:
Input configuration
fields:
- id: hostname
type: string
label: Jump server hostname
- id: username
type: string
label: Jumphost username
- id: sshkey
type: string
label: Bastion key.
format: ssh_private_key
secret: true
multiline: true
required:
- username
- sshkey
- hostname
Injector configuration
extra_vars:
bastion_host: '{{ hostname }}'
bastion_key: '{{ tower.filename }}'
bastion_user: '{{ username }}'
jumpserver_connection_configuration: >-
-o ProxyCommand="ssh -o StrictHostKeyChecking=no -o
UserKnownHostsFile=/dev/null -o PubkeyAuthentication=yes -o
ControlMaster=no -o PreferredAuthentications=publickey -i {{ tower.filename }} -W %h:%p -q {{ username }}@{{ hostname }}"
file:
template: '{{ sshkey }}'
Then there is an inventory created that has IP of the client and below extra args:
ansible_ssh_common_args: >-
{{ default_ssh_options }} -o PreferredAuthentications=publickey,password {{ jumpserver_connection_configuration }}
default_ssh_options: >-
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o
PubkeyAuthentication=yes -o ControlMaster=no -o
PreferredAuthentications=publickey
A hello world job is created on this inventory with both credentials attached to it, which fails The failure log is uploaded here.