Unable to run cyberark.conjur.conjur_host_identity role. #191
Description
Summary
Unable to run cyberark.conjur.conjur_host_identity role.
Steps to Reproduce
- Create a conjur host-factory.
- Generate host factory token:
conjur -i hostfactory create token -i ansible-test-factory --duration-days 2-
Export host factory token as env var.
-
Run the playbook.
This is the playbook that I am using:
- hosts: localhost
roles:
- role: cyberark.conjur.conjur_host_identity
conjur_appliance_url: 'https://conjur-lb.vsphere.playground.com'
conjur_account: 'default'
conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}"
conjur_host_name: "{{ inventory_hostname }}"
conjur_ssl_certificate: "{{ lookup('file', 'conjur-cert.cer') }}"
conjur_validate_certs: yesExpected Results
The playbook run without errors.
Actual Results
The playbook fail, these are the logs:
PLAY [localhost] ***********************************************************************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************************************************************
ok: [localhost]
TASK [cyberark.conjur.conjur_host_identity : Check if /etc/conjur.identity already exists] *********************************************************************************************************
ok: [localhost] => {"changed": false, "stat": {"exists": false}}
TASK [cyberark.conjur.conjur_host_identity : Set fact "conjurized"] ********************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"conjurized": false}, "changed": false}
TASK [cyberark.conjur.conjur_host_identity : Ensure all required variables are set] ****************************************************************************************************************
skipping: [localhost] => (item=default) => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "default", "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=https://conjur-lb.vsphere.playground.com) => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "https://conjur-lb.vsphere.playground.com", "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=localhost) => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "localhost", "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}
TASK [cyberark.conjur.conjur_host_identity : Set fact "ssl_configuration"] *************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"ssl_configuration": true}, "changed": false}
TASK [cyberark.conjur.conjur_host_identity : Ensure all required ssl variables are set] ************************************************************************************************************
skipping: [localhost] => (item=-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUeO2/+zmaBjmfJRxB1bwzM93lnmAwDQYJKoZIhvcNAQEL
BQAwUTEQMA4GA1UECgwHZGVmYXVsdDESMBAGA1UECwwJQ29uanVyIENBMSkwJwYD
VQQDDCBjb25qdXItbGIudnNwaGVyZS5wbGF5Z3JvdW5kLmNvbTAeFw0yMzAxMTAx
MTI3MzRaFw0zMzAxMDcxMTI3MzRaMCsxKTAnBgNVBAMMIGNvbmp1ci1sYi52c3Bo
ZXJlLnBsYXlncm91bmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvP11Ad8F8rVQXGrvhqv4yBhCLW+E85KnNV9TjNiV0fojrQMNHTIWwY5TL8vL
kTohi6NTHPZCBu6ig1sAwlvwF72oHrjDITN7YUxUcgCAuQzEG4lK2cPNWkmsMlaZ
e9ECJguvIh1QF+TW+72CIESR9IQeQKuPwZis7VBqbInQboiYHb849xVWIpzdQH2D
4IGhknuZQCUUOYbtpp1aJOJnQvEwFZ2hwzlK2i63JA18SafPHxt91r4TC9Jih3wN
CriL/TtFaz9/n0CQM1HETpt3B00aRom6QI6dnqixACJ2fuNqyiqnn53c7HiLWCvQ
/vJ46CTGxOKeae+sBeDjGrjTkQIDAQABo4HFMIHCMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwgZAGA1UdEQSBiDCBhYIgY29u
anVyLWxiLnZzcGhlcmUucGxheWdyb3VuZC5jb22CH2Nvbmp1ci0xLnZzcGhlcmUu
cGxheWdyb3VuZC5jb22CH2Nvbmp1ci0yLnZzcGhlcmUucGxheWdyb3VuZC5jb22C
H2Nvbmp1ci0zLnZzcGhlcmUucGxheWdyb3VuZC5jb20wDQYJKoZIhvcNAQELBQAD
ggEBADjwsbz7BG641cWjokup7b4MT6Q1ts8cbKg3rFRH8IP2p3KA0amzDvnGXehF
RJ83rj9wXdPBpxfzRCvkqw8u4et1fXZ7XyirrqBZh0eQWu5ix/Sd9NdOE8DLw+Xz
wAsaGp7NgpBK3gs3k5iX38yk0Gstk3Y7fjzqUmRSeJ9EOs3Wpe+hxfkurS9HDAMy
M0iVnZDvEsRLeGYELa685Ga6/lSBXshMbmLDISF0M3LqgNYDCJZPJLYY5pf6XDfv
Wt4QUEbBrpX11OMBRyRYZW3Nf7LIaNGxzitTbNdCpJqjwyJV2J9eX3VFtrVaPczs
TmwipMTS+WBhDto0a6pZ74J5shU=
-----END CERTIFICATE-----) => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "-----BEGIN CERTIFICATE-----\nMIID0DCCArigAwIBAgIUeO2/+zmaBjmfJRxB1bwzM93lnmAwDQYJKoZIhvcNAQEL\nBQAwUTEQMA4GA1UECgwHZGVmYXVsdDESMBAGA1UECwwJQ29uanVyIENBMSkwJwYD\nVQQDDCBjb25qdXItbGIudnNwaGVyZS5wbGF5Z3JvdW5kLmNvbTAeFw0yMzAxMTAx\nMTI3MzRaFw0zMzAxMDcxMTI3MzRaMCsxKTAnBgNVBAMMIGNvbmp1ci1sYi52c3Bo\nZXJlLnBsYXlncm91bmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAvP11Ad8F8rVQXGrvhqv4yBhCLW+E85KnNV9TjNiV0fojrQMNHTIWwY5TL8vL\nkTohi6NTHPZCBu6ig1sAwlvwF72oHrjDITN7YUxUcgCAuQzEG4lK2cPNWkmsMlaZ\ne9ECJguvIh1QF+TW+72CIESR9IQeQKuPwZis7VBqbInQboiYHb849xVWIpzdQH2D\n4IGhknuZQCUUOYbtpp1aJOJnQvEwFZ2hwzlK2i63JA18SafPHxt91r4TC9Jih3wN\nCriL/TtFaz9/n0CQM1HETpt3B00aRom6QI6dnqixACJ2fuNqyiqnn53c7HiLWCvQ\n/vJ46CTGxOKeae+sBeDjGrjTkQIDAQABo4HFMIHCMA4GA1UdDwEB/wQEAwIFoDAd\nBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwgZAGA1UdEQSBiDCBhYIgY29u\nanVyLWxiLnZzcGhlcmUucGxheWdyb3VuZC5jb22CH2Nvbmp1ci0xLnZzcGhlcmUu\ncGxheWdyb3VuZC5jb22CH2Nvbmp1ci0yLnZzcGhlcmUucGxheWdyb3VuZC5jb22C\nH2Nvbmp1ci0zLnZzcGhlcmUucGxheWdyb3VuZC5jb20wDQYJKoZIhvcNAQELBQAD\nggEBADjwsbz7BG641cWjokup7b4MT6Q1ts8cbKg3rFRH8IP2p3KA0amzDvnGXehF\nRJ83rj9wXdPBpxfzRCvkqw8u4et1fXZ7XyirrqBZh0eQWu5ix/Sd9NdOE8DLw+Xz\nwAsaGp7NgpBK3gs3k5iX38yk0Gstk3Y7fjzqUmRSeJ9EOs3Wpe+hxfkurS9HDAMy\nM0iVnZDvEsRLeGYELa685Ga6/lSBXshMbmLDISF0M3LqgNYDCJZPJLYY5pf6XDfv\nWt4QUEbBrpX11OMBRyRYZW3Nf7LIaNGxzitTbNdCpJqjwyJV2J9eX3VFtrVaPczs\nTmwipMTS+WBhDto0a6pZ74J5shU=\n-----END CERTIFICATE-----", "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=True) => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": true, "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}
TASK [cyberark.conjur.conjur_host_identity : Set fact "ssl file path"] *****************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"conjur_ssl_certificate_path": "/etc/conjur.pem"}, "changed": false}
TASK [cyberark.conjur.conjur_host_identity : Set fact "non ssl configuration"] *********************************************************************************************************************
skipping: [localhost] => {"changed": false, "false_condition": "not ssl_configuration", "skip_reason": "Conditional result was False"}
TASK [cyberark.conjur.conjur_host_identity : Warn against using insecure connection schemes] *******************************************************************************************************
skipping: [localhost] => {"false_condition": "not ssl_configuration"}
TASK [cyberark.conjur.conjur_host_identity : Ensure "conjur_host_factory_token" is set (if node is not already conjurized)] ************************************************************************
skipping: [localhost] => (item=<TOKEN-HERE>) => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "<TOKEN-HERE>", "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}
TASK [cyberark.conjur.conjur_host_identity : Create group conjur] **********************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Username and password must be provided.\n", "name": "conjur"}
PLAY RECAP *****************************************************************************************************************************************************************************************
localhost : ok=5 changed=0 unreachable=0 failed=1 skipped=5 rescued=0 ignored=0 Reproducible
- Always
Version/Tag number
ansible --version && echo " " && ansible-galaxy collection list | grep cyberark
ansible [core 2.15.0]
config file = None
configured module search path = ['/Users/rago/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/8.0.0/libexec/lib/python3.11/site-packages/ansible
ansible collection location = /Users/rago/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.11.4 (main, Jun 7 2023, 00:42:15) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/usr/local/Cellar/ansible/8.0.0/libexec/bin/python3.11)
jinja version = 3.1.2
libyaml = True
cyberark.conjur 1.2.0
cyberark.conjur 1.2.0
cyberark.pas 1.0.19Environment setup
Ansible run on local machine and conjur run on remote VM (connection via VPN).
Additional Information
- conjur is reachable from my local machine and I am able to retrieve secrets.
- If I remove the
conjur_ssl_certificateandconjur_validate_certsrole variables (which are not mandatory!), the playbook fails with the following error:
fatal: [localhost]: FAILED! => {"msg": "'conjur_ssl_certificate' is undefined. 'conjur_ssl_certificate' is undefined"}