Chapter 7. Encrypting plaintext passwords in automation controller configuration files
Passwords stored in automation controller configuration files are stored in plain text. A user with access to the /etc/tower/conf.d/ directory can view the passwords used to access the database. Access to the directories is controlled with permissions, so they are protected, but some security findings deem this protection to be inadequate. The solution is to encrypt the passwords individually.
7.1. Creating PostgreSQL password hashes
Procedure
On your automation controller node, run the following:
# awx-manage shell_plus
Then run the following from the python prompt:
>>> from awx.main.utils import encrypt_value, get_encryption_key \ >>> postgres_secret = encrypt_value('$POSTGRES_PASS') \ >>> print(postgres_secret)NoteReplace the
$POSTGRES_PASSvariable with the actual plain text password you want to encrypt.The output should resemble the following:
$encrypted$UTF8$AESCBC$Z0FBQUFBQmtLdGNRWXFjZGtkV1ZBR3hkNGVVbFFIU3hhY21UT081eXFkR09aUWZLcG9TSmpndmZYQXFyRHVFQ3ZYSE15OUFuM1RHZHBqTFU3S0MyNEo2Y2JWUURSYktsdmc9PQ==
Copy the full values of these hashes and save them.
The hash value begins with
$encrypted$, and is not just the string of characters, as shown in the following example:$encrypted$AESCBC$Z0FBQUFBQmNONU9BbGQ1VjJyNDJRVTRKaFRIR09Ib2U5TGdaYVRfcXFXRjlmdmpZNjdoZVpEZ21QRWViMmNDOGJaM0dPeHN2b194NUxvQ1M5X3dSc1gxQ29TdDBKRkljWHc9PQ==
Note that the
$*_PASSvalues are already in plain text in your inventory file.
These steps supply the hash values that replace the plain text passwords within the automation controller configuration files.
7.2. Encrypting the Postgres password
The following procedure replaces the plain text passwords with encrypted values. Perform the following steps on each node in the cluster:
Procedure
Edit
/etc/tower/conf.d/postgres.pyusing:$ vim /etc/tower/conf.d/postgres.py
Add the following line to the top of the file.
from awx.main.utils import decrypt_value, get_encryption_key
Remove the password value listed after 'PASSWORD': and replace it with the following line, replacing the supplied value of
$encrytpted..with your own hash value:decrypt_value(get_encryption_key('value'),'$encrypted$AESCBC$Z0FBQUFBQmNONU9BbGQ1VjJyNDJRVTRKaFRIR09Ib2U5TGdaYVRfcXFXRjlmdmpZNjdoZVpEZ21QRWViMmNDOGJaM0dPeHN2b194NUxvQ1M5X3dSc1gxQ29TdDBKRkljWHc9PQ=='),NoteThe hash value in this step is the output value of
postgres_secret.The full
postgres.pyresembles the following:# Ansible Automation platform controller database settings. from awx.main.utils import decrypt_value, get_encryption_key DATABASES = { 'default': { 'ATOMIC_REQUESTS': True, 'ENGINE': 'django.db.backends.postgresql', 'NAME': 'awx', 'USER': 'awx', 'PASSWORD': decrypt_value(get_encryption_key('value'),'$encrypted$AESCBC$Z0FBQUFBQmNONU9BbGQ1VjJyNDJRVTRKaFRIR09Ib2U5TGdaYVRfcXFXRjlmdmpZNjdoZVpEZ21QRWViMmNDOGJaM0dPeHN2b194NUxvQ1M5X3dSc1gxQ29TdDBKRkljWHc9PQ=='), 'HOST': '127.0.0.1', 'PORT': 5432, } }
7.3. Restarting automation controller services
Procedure
When encryption is completed on all nodes, perform a restart of services across the cluster using:
# automation-controller-service restart
- Navigate to the UI, and verify you are able to run jobs across all nodes.
