Merge pull request #6216 from pilou-/doc_extract_credentials

[doc] Explain how to extract credentials or encrypted settings Reviewed-by: https://github.com/apps/softwarefactory-project-zuul
2026-01-18 05:01:19 -03:30 · 2020-03-06 21:54:51 +00:00 · 2020-03-06 21:54:51 +00:00 · 3e820a88e1
commit 3e820a88e1
parent 304bf6805b 35f414ccf2
1 changed files with 19 additions and 0 deletions
--- a/docs/credentials/extract_credentials.md
+++ b/docs/credentials/extract_credentials.md
@ -0,0 +1,19 @@
+Extracting Credential Values
+============================
+
+AWX stores a variety of secrets in the database that are either used for automation or are a result of automation. These secrets include:
+
+- all secret fields of all credential types (passwords, secret keys, authentication tokens, secret cloud credentials)
+- secret tokens and passwords for external services defined in Ansible Tower settings
+- "password" type survey fields entries
+
+To encrypt secret fields, Tower uses AES in CBC mode with a 256-bit key for encryption, PKCS7 padding, and HMAC using SHA256 for authentication.
+
+If necessary, credentials and encrypted settings can be extracted using the AWX shell:
+
+```python
+# awx-manage shell_plus
+>>> from awx.main.utils import decrypt_field
+>>> cred = Credential.objects.get(name="my private key")
+>>> print(decrypt_field(cred, "ssh_key_data"))
+```