From d75c2d9b44062009823328db1a68563f9316f819 Mon Sep 17 00:00:00 2001 From: Pierre-Louis Bonicoli Date: Fri, 6 Mar 2020 18:18:20 +0100 Subject: [PATCH 1/2] Explain how to extract credentials/settings --- docs/credentials/extract_credentials.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/credentials/extract_credentials.md diff --git a/docs/credentials/extract_credentials.md b/docs/credentials/extract_credentials.md new file mode 100644 index 0000000000..7234d56517 --- /dev/null +++ b/docs/credentials/extract_credentials.md @@ -0,0 +1,11 @@ +Extract credentials +=================== + +Credentials and encrypted settings can be extracted using the following snippet: + +```python +# awx-manage shell_plus +>>> from awx.main.utils import decrypt_field +>>> cred = Credential.objects.get(name="my private key") +>>> decrypt_field(cred, "ssh_key_data") +``` From 35f414ccf20e4881287848fcb9b562f3c975a793 Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Fri, 6 Mar 2020 16:00:41 -0500 Subject: [PATCH 2/2] clarify how AWX stores cerdentials --- docs/credentials/extract_credentials.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/docs/credentials/extract_credentials.md b/docs/credentials/extract_credentials.md index 7234d56517..c769319200 100644 --- a/docs/credentials/extract_credentials.md +++ b/docs/credentials/extract_credentials.md @@ -1,11 +1,19 @@ -Extract credentials -=================== +Extracting Credential Values +============================ -Credentials and encrypted settings can be extracted using the following snippet: +AWX stores a variety of secrets in the database that are either used for automation or are a result of automation. These secrets include: + +- all secret fields of all credential types (passwords, secret keys, authentication tokens, secret cloud credentials) +- secret tokens and passwords for external services defined in Ansible Tower settings +- "password" type survey fields entries + +To encrypt secret fields, Tower uses AES in CBC mode with a 256-bit key for encryption, PKCS7 padding, and HMAC using SHA256 for authentication. + +If necessary, credentials and encrypted settings can be extracted using the AWX shell: ```python # awx-manage shell_plus >>> from awx.main.utils import decrypt_field >>> cred = Credential.objects.get(name="my private key") ->>> decrypt_field(cred, "ssh_key_data") +>>> print(decrypt_field(cred, "ssh_key_data")) ```