Github action to show monthly issue metrics

.github/actions/issue_metrics/issue_metrics.yml

@@ -0,0 +1,40 @@
+name: Monthly issue metrics
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '3 2 1 * *'
+
+permissions:
+  issues: write
+  pull-requests: read
+
+jobs:
+  build:
+    name: issue metrics
+    runs-on: ubuntu-latest
+    steps:
+    - name: Get dates for last month
+      shell: bash
+      run: |
+        # Calculate the first day of the previous month
+        first_day=$(date -d "last month" +%Y-%m-01)
+
+        # Calculate the last day of the previous month
+        last_day=$(date -d "$first_day +1 month -1 day" +%Y-%m-%d)
+
+        #Set an environment variable with the date range
+        echo "$first_day..$last_day"
+        echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV"
+
+    - name: Run issue-metrics tool
+      uses: github/issue-metrics@v2
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SEARCH_QUERY: 'repo:ansible/awx is:issue created:${{ env.last_month }} -reason:"not planned"'
+
+    - name: Create issue
+      uses: peter-evans/create-issue-from-file@v4
+      with:
+        title: Monthly issue metrics report
+        token: ${{ secrets.GITHUB_TOKEN }}
+        content-filepath: ./issue_metrics.md

.github/workflows/ci.yml

@@ -127,6 +127,10 @@ jobs:
 
       - name: Run sanity tests
         run: make test_collection_sanity
+        env:
+          # needed due to cgroupsv2. This is fixed, but a stable release
+          # with the fix has not been made yet.
+          ANSIBLE_TEST_PREFER_PODMAN: 1
 
   collection-integration:
     name: awx_collection integration

.github/workflows/promote.yml

@@ -83,15 +83,11 @@ jobs:
 
       - name: Re-tag and promote awx image
         run: |
-          docker buildx imagetools create \
+          docker pull ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }}
-            ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} \
+          docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
-            --tag quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
+          docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
-          docker buildx imagetools create \
+          docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
-            ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} \
+          docker push quay.io/${{ github.repository }}:latest
-            --tag quay.io/${{ github.repository }}:latest
+          docker pull ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }}
-
+          docker tag ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }} quay.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }}
-      - name: Re-tag and promote awx-ee image
+          docker push quay.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }}
-        run: |
-          docker buildx imagetools create \
-            ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }} \
-            --tag quay.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }}

.github/workflows/stage.yml

@@ -102,9 +102,9 @@ jobs:
 
       - name: tag awx-ee:latest with version input
         run: |
-          docker buildx imagetools create \
+          docker pull quay.io/ansible/awx-ee:latest
-            quay.io/ansible/awx-ee:latest \
+          docker tag quay.io/ansible/awx-ee:latest ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}
-            --tag ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}
+          docker push ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}
 
       - name: Stage awx-operator image
         working-directory: awx-operator

awx/main/dispatch/worker/base.py

@@ -259,12 +259,6 @@ class AWXConsumerPG(AWXConsumerBase):
                 current_downtime = time.time() - self.pg_down_time
                 if current_downtime > self.pg_max_wait:
                     logger.exception(f"Postgres event consumer has not recovered in {current_downtime} s, exiting")
-                    # Sending QUIT to multiprocess queue to signal workers to exit
-                    for worker in self.pool.workers:
-                        try:
-                            worker.quit()
-                        except Exception:
-                            logger.exception(f"Error sending QUIT to worker {worker}")
                     raise
                 # Wait for a second before next attempt, but still listen for any shutdown signals
                 for i in range(10):
@@ -276,12 +270,6 @@ class AWXConsumerPG(AWXConsumerBase):
             except Exception:
                 # Log unanticipated exception in addition to writing to stderr to get timestamps and other metadata
                 logger.exception('Encountered unhandled error in dispatcher main loop')
-                # Sending QUIT to multiprocess queue to signal workers to exit
-                for worker in self.pool.workers:
-                    try:
-                        worker.quit()
-                    except Exception:
-                        logger.exception(f"Error sending QUIT to worker {worker}")
                 raise
 
 

awx/settings/defaults.py

@@ -353,7 +353,6 @@ INSTALLED_APPS = [
     'awx.sso',
     'solo',
     'ansible_base.rest_filters',
-    'ansible_base.jwt_consumer',
 ]
 
 INTERNAL_IPS = ('127.0.0.1',)
@@ -363,7 +362,6 @@ REST_FRAMEWORK = {
     'DEFAULT_PAGINATION_CLASS': 'awx.api.pagination.Pagination',
     'PAGE_SIZE': 25,
     'DEFAULT_AUTHENTICATION_CLASSES': (
-        'ansible_base.jwt_consumer.awx.auth.AwxJWTAuthentication',
         'awx.api.authentication.LoggedOAuth2Authentication',
         'awx.api.authentication.SessionAuthentication',
         'awx.api.authentication.LoggedBasicAuthentication',

awx/ui/src/components/FormField/FormSubmitError.js

@@ -6,7 +6,6 @@ import sortErrorMessages from './sortErrorMessages';
 
 function FormSubmitError({ error }) {
   const [errorMessage, setErrorMessage] = useState(null);
-  const [fieldError, setFieldsMessage] = useState(null);
   const { values, setErrors } = useFormikContext();
 
   useEffect(() => {
@@ -16,7 +15,6 @@ function FormSubmitError({ error }) {
     }
     if (fieldErrors) {
       setErrors(fieldErrors);
-      setFieldsMessage(fieldErrors);
     }
   }, [error, setErrors, values]);
 
@@ -32,34 +30,10 @@ function FormSubmitError({ error }) {
         ouiaId="form-submit-error-alert"
         title={
           Array.isArray(errorMessage)
-            ? errorMessage.map((msg) => (
+            ? errorMessage.map((msg) => <div key={msg}>{msg}</div>)
-                <div key={msg}>
+            : errorMessage
-                  {msg.messages ? msg.messages : JSON.stringify(msg)}
-                </div>
-              ))
-            : errorMessage && (
-                <div>
-                  {errorMessage.messages
-                    ? errorMessage.messages
-                    : JSON.stringify(errorMessage)}
-                </div>
-              )
         }
-      >
+      />
-        {Array.isArray(fieldError)
-          ? fieldError.map((msg) => (
-              <div key={msg}>
-                {msg.messages ? msg.messages : JSON.stringify(msg)}
-              </div>
-            ))
-          : fieldError && (
-              <div>
-                {fieldError.messages
-                  ? fieldError.messages
-                  : JSON.stringify(fieldError)}
-              </div>
-            )}
-      </Alert>
     </FormFullWidthLayout>
   );
 }

awx/ui/src/components/FormField/FormSubmitError.test.js

@@ -5,15 +5,14 @@ import { mountWithContexts } from '../../../testUtils/enzymeHelpers';
 import FormSubmitError from './FormSubmitError';
 
 describe('<FormSubmitError>', () => {
-  test('should render null when no error present', async () => {
+  test('should render null when no error present', () => {
     const wrapper = mountWithContexts(
       <Formik>{() => <FormSubmitError error={null} />}</Formik>
     );
-    const ele = await wrapper.find('FormSubmitError').text();
+    expect(wrapper.find('FormSubmitError').text()).toEqual('');
-    expect(ele).toEqual('');
   });
 
-  test('should pass field errors to Formik', async () => {
+  test('should pass field errors to Formik', () => {
     const error = {
       response: {
         data: {
@@ -31,7 +30,26 @@ describe('<FormSubmitError>', () => {
         )}
       </Formik>
     );
-    const pp = await wrapper.find('p').text();
+    expect(wrapper.find('p').text()).toEqual('invalid');
-    expect(pp).toEqual('invalid');
+  });
+
+  test('should display error message if field errors not provided', async () => {
+    const realConsole = global.console;
+    global.console = {
+      error: jest.fn(),
+    };
+    const error = {
+      message: 'There was an error',
+    };
+    let wrapper;
+    await act(async () => {
+      wrapper = mountWithContexts(
+        <Formik>{() => <FormSubmitError error={error} />}</Formik>
+      );
+    });
+    wrapper.update();
+    expect(wrapper.find('Alert').prop('title')).toEqual('There was an error');
+    expect(global.console.error).toHaveBeenCalledWith(error);
+    global.console = realConsole;
   });
 });

awx/ui/src/components/FormField/sortErrorMessages.js

@@ -9,18 +9,15 @@ export default function sortErrorMessages(error, formValues = {}) {
     Object.keys(error.response.data).length > 0
   ) {
     const parsed = parseFieldErrors(error.response.data, formValues);
-
     return {
-      formError:
+      formError: parsed.formErrors.join('; '),
-        parsed.formErrors.indexOf(';') > -1
-          ? parsed.formErrors.join('; ')
-          : 'Error in fields',
       fieldErrors: Object.keys(parsed.fieldErrors).length
         ? parsed.fieldErrors
         : null,
     };
   }
-
+  /* eslint-disable-next-line no-console */
+  console.error(error);
   return {
     formError: error.message,
     fieldErrors: null,

awx/ui/src/components/FormField/sortErrorMessages.test.js

@@ -35,7 +35,7 @@ describe('sortErrorMessages', () => {
     };
     const parsed = sortErrorMessages(error, { foo: '', baz: '' });
     expect(parsed).toEqual({
-      formError: 'Error in fields',
+      formError: '',
       fieldErrors: {
         foo: 'bar',
         baz: 'bam',
@@ -54,7 +54,7 @@ describe('sortErrorMessages', () => {
     };
     const parsed = sortErrorMessages(error, { foo: '', baz: '' });
     expect(parsed).toEqual({
-      formError: 'Error in fields',
+      formError: 'oopsie',
       fieldErrors: {
         baz: 'bam',
       },
@@ -72,7 +72,7 @@ describe('sortErrorMessages', () => {
     };
     const parsed = sortErrorMessages(error, { foo: '', baz: '' });
     expect(parsed).toEqual({
-      formError: 'Error in fields',
+      formError: '',
       fieldErrors: {
         foo: 'bar; bar2',
         baz: 'bam',
@@ -103,7 +103,7 @@ describe('sortErrorMessages', () => {
     };
     const parsed = sortErrorMessages(error, formValues);
     expect(parsed).toEqual({
-      formError: 'Error in fields',
+      formError: '',
       fieldErrors: {
         inputs: {
           url: 'URL Error',
@@ -135,7 +135,7 @@ describe('sortErrorMessages', () => {
     };
     const parsed = sortErrorMessages(error, formValues);
     expect(parsed).toEqual({
-      formError: 'Error in fields',
+      formError: 'Other stuff error',
       fieldErrors: {
         inputs: {
           url: 'URL Error',

awx/ui/src/screens/Dashboard/Dashboard.js

@@ -80,7 +80,7 @@ function Dashboard() {
           <Trans>
             <p>
               <InfoCircleIcon /> A tech preview of the new {brandName} user
-              interface can be found <a href="/ui_next">here</a>.
+              interface can be found <a href="/ui_next/dashboard">here</a>.
             </p>
           </Trans>
         </Banner>

awx/ui/src/screens/SubscriptionUsage/SubscriptionUsage.js

@@ -30,7 +30,7 @@ function SubscriptionUsage() {
           <Trans>
             <p>
               <InfoCircleIcon /> A tech preview of the new {brandName} user
-              interface can be found <a href="/ui_next">here</a>.
+              interface can be found <a href="/ui_next/dashboard">here</a>.
             </p>
           </Trans>
         </Banner>

awx_collection/tests/integration/targets/inventory_source_update/tasks/main.yml

@@ -26,7 +26,7 @@
         name: "{{ project_name }}"
         organization: "{{ org_name }}"
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         wait: true
 
     - name: Create a git project with same name, different org

awx_collection/tests/integration/targets/project/tasks/main.yml

@@ -31,7 +31,7 @@
         name: "{{ project_name1 }}"
         organization: Default
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         wait: true
       register: result
 
@@ -44,7 +44,7 @@
         name: "{{ project_name1 }}"
         organization: Default
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         wait: true
         state: exists
       register: result
@@ -58,7 +58,7 @@
         name: "{{ project_name1 }}"
         organization: Default
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         wait: true
         state: exists
         request_timeout: .001
@@ -75,7 +75,7 @@
         name: "{{ project_name1 }}"
         organization: Default
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         wait: true
         state: absent
       register: result
@@ -89,7 +89,7 @@
         name: "{{ project_name1 }}"
         organization: Default
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         wait: true
         state: exists
       register: result
@@ -103,7 +103,7 @@
         name: "{{ project_name1 }}"
         organization: Default
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         wait: false
       register: result
       ignore_errors: true
@@ -137,7 +137,7 @@
         name: "{{ project_name2 }}"
         organization: "{{ org_name }}"
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         scm_credential: "{{ cred_name }}"
       check_mode: true
 
@@ -162,7 +162,7 @@
         name: "{{ project_name2 }}"
         organization: Non_Existing_Org
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         scm_credential: "{{ cred_name }}"
       register: result
       ignore_errors: true
@@ -179,7 +179,7 @@
         name: "{{ project_name2 }}"
         organization: "{{ org_name }}"
         scm_type: git
-        scm_url: https://github.com/ansible/ansible-tower-samples
+        scm_url: https://github.com/ansible/test-playbooks
         scm_credential: Non_Existing_Credential
       register: result
       ignore_errors: true
@@ -191,7 +191,7 @@
           - "'Non_Existing_Credential' in result.msg"
           - "result.total_results == 0"
 
-    - name: Create a git project using a branch and allowing branch override
+    - name: Create a git project without credentials without waiting
       project:
         name: "{{ project_name3 }}"
         organization: Default

awx_collection/tests/integration/targets/project_update/tasks/main.yml

@@ -13,7 +13,7 @@
     name: "{{ project_name1 }}"
     organization: Default
     scm_type: git
-    scm_url: https://github.com/ansible/ansible-tower-samples
+    scm_url: https://github.com/ansible/test-playbooks
     wait: false
   register: project_create_result
 

docs/docsite/rst/administration/ldap_auth.rst

@@ -7,7 +7,6 @@ Setting up LDAP Authentication
    single: LDAP
    pair: authentication; LDAP
    
-This chapter describes how to integrate LDAP authentication with AWX.
 
 .. note::
 

docs/docsite/rst/userguide/credential_plugins.rst

@@ -10,15 +10,14 @@ Secret Management System
    
 Users and admins upload machine and cloud credentials so that automation can access machines and external services on their behalf. By default, sensitive credential values (such as SSH passwords, SSH private keys, API tokens for cloud services) are stored in the database after being encrypted. With external credentials backed by credential plugins, you can map credential fields (like a password or an SSH Private key) to values stored in a :term:`secret management system` instead of providing them to AWX directly. AWX provides a secret management system that include integrations for:
 
-- :ref:`ug_credentials_aws_lookup`
+- Centrify Vault Credential Provider Lookup
-- :ref:`ug_credentials_centrify`
+- CyberArk Central Credential Provider Lookup (CCP)
-- :ref:`ug_credentials_cyberarkccp`
+- CyberArk Conjur Secrets Manager Lookup
-- :ref:`ug_credentials_cyberarkconjur`
+- HashiCorp Vault Key-Value Store (KV)
-- :ref:`ug_credentials_hashivault` (KV)
+- HashiCorp Vault SSH Secrets Engine
-- :ref:`ug_credentials_hashivaultssh`
+- Microsoft Azure Key Management System (KMS)
-- :ref:`ug_credentials_azurekeyvault` (KMS)
+- Thycotic DevOps Secrets Vault
-- :ref:`ug_credentials_thycoticvault`
+- Thycotic Secret Server
-- :ref:`ug_credentials_thycoticserver`
 
 These external secret values will be fetched prior to running a playbook that needs them. For more information on specifying these credentials in the User Interface, see :ref:`ug_credentials`.
 
@@ -50,92 +49,11 @@ Use the AWX User Interface to configure and use each of the supported 3-party se
 .. image:: ../common/images/credentials-link-credential-prompt.png 
    :alt: Credential section of the external secret management system dialog
 
-4. Select the credential you want to link to, and click **Next**. This takes you to the **Metadata** tab of the input source. Metadata is specific to the input source you select:
+4. Select the credential you want to link to, and click **Next**. This takes you to the **Metadata** tab of the input source. This example shows the Metadata prompt for HashiVault Secret Lookup. Metadata is specific to the input source you select. See the :ref:`ug_metadata_creds_inputs` table for details.
-
-.. list-table::
-   :widths: 10 10 25
-   :width: 1400px
-   :header-rows: 1
-
-   * - Input Source 
-     - Metadata
-     - Description
-   * - *AWS Secrets Manager*
-     - AWS Secrets Manager Region (required)
-     - The region where the secrets manager is located.
-   * - 
-     - AWS Secret Name (Required)
-     - Specify the AWS secret name that was generated by the AWS access key.
-   * - *Centrify Vault Credential Provider Lookup*
-     - Account Name (Required)
-     - Name of the system account or domain associated with Centrify Vault.
-   * - 
-     - System Name
-     - Specify the name used by the Centrify portal.
-   * - *CyberArk Central Credential Provider Lookup*
-     - Object Query (Required)
-     - Lookup query for the object.
-   * - 
-     - Object Query Format
-     - Select ``Exact`` for a specific secret name, or ``Regexp`` for a secret that has a dynamically generated name.
-   * - 
-     - Object Property
-     - Specifies the name of the property to return (e.g., ``UserName``, ``Address``, etc.) other than the default of ``Content``.
-   * -
-     - Reason
-     - If required per the object's policy, supply a reason for checking out the secret, as CyberArk logs those.
-   * - *CyberArk Conjur Secrets Lookup*
-     - Secret Identifier
-     - The identifier for the secret.
-   * - 
-     - Secret Version
-     - Specify a version of the secret, if necessary, otherwise, leave it empty to use the latest version.
-   * - *HashiVault Secret Lookup*
-     - Name of Secret Backend
-     - Specify the name of the KV backend to use. Leave it blank to use the first path segment of the **Path to Secret** field instead.
-   * - 
-     - Path to Secret (required)
-     - Specify the path to where the secret information is stored; for example, ``/path/username``.
-   * - 
-     - Key Name (required)
-     - Specify the name of the key to look up the secret information.
-   * - 
-     - Secret Version (V2 Only)
-     - Specify a version if necessary, otherwise, leave it empty to use the latest version.
-   * - *HashiCorp Signed SSH*
-     - Unsigned Public Key (required)
-     - Specify the public key of the cert you want to get signed. It needs to be present in the authorized keys file of the target host(s).
-   * -
-     - Path to Secret (required)
-     - Specify the path to where the secret information is stored; for example, ``/path/username``.
-   * - 
-     - Role Name (required)
-     - A role is a collection of SSH settings and parameters that are stored in Hashi vault. Typically, you can specify a couple of them with different privileges, timeouts, etc. So you could have a role that is allowed to get a cert signed for root, and other less privileged ones, for example.
-   * - 
-     - Valid Principals
-     - Specify a user (or users) other than the default, that you are requesting vault to authorize the cert for the stored key. Hashi vault has a default user for whom it signs (e.g., ec2-user).
-   * - *Azure KMS*
-     - Secret Name (required)
-     - The actual name of the secret as it is referenced in Azure's Key vault app.
-   * - 
-     - Secret Version
-     - Specify a version of the secret, if necessary, otherwise, leave it empty to use the latest version.
-   * - *Thycotic DevOps Secrets Vault*
-     - Secret Path (required)
-     - Specify the path to where the secret information is stored (e.g., /path/username).
-   * - *Thycotic Secret Server*
-     - Secret ID (required)
-     - The identifier for the secret.
-   * - 
-     - Secret Field
-     - Specify the field to be used from the secret.
-
-This example shows the Metadata prompt for HashiVault Secret Lookup.  
 
 .. image:: ../common/images/credentials-link-metadata-prompt.png
    :alt: Metadata section of the external secret management system dialog
 
-
 5. Click **Test** to verify connection to the secret management system. If the lookup is unsuccessful, an error message like this one displays:
 
 .. image:: ../common/images/credentials-link-metadata-test-error.png
@@ -147,37 +65,133 @@ This example shows the Metadata prompt for HashiVault Secret Lookup.
 
 8. Click **Save** when done.
 
+.. _ug_metadata_creds_inputs:
 
-.. _ug_credentials_aws_lookup:
+Metadata for credential input sources
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-AWS Secrets Manager Lookup
+**Centrify Vault Credential Provider Lookup**
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.. index::
-   pair: credential types; AWS
 
-This plugin allows AWS to be used as a credential input source to pull secrets from AWS SecretsManager. `AWS Secrets Manager <https://aws.amazon.com/secrets-manager/>`_ provides similar service to :ref:`ug_credentials_azurekeyvault`, and the AWS collection provides a lookup plugin for it. 
+.. list-table::
+   :widths: 25 50
+   :header-rows: 1
 
-When **AWS Secrets Manager lookup** is selected for **Credential Type**, provide the following attributes to properly configure your lookup:
+   * - Metadata
+     - Description
+   * - Account Name (Required)
+     - Name of the system account or domain associated with Centrify Vault.
+   * - System Name
+     - Specify the name used by the Centrify portal.
 
-- **AWS Access Key** (required): provide the access key used for communicating with AWS' key management system
+**CyberArk Central Credential Provider Lookup**
-- **AWS Secret Key** (required): provide the secret as obtained by the AWS IAM console
 
+.. list-table::
+   :widths: 25 50
+   :header-rows: 1
 
-Below shows an example of a configured AWS Secret Manager credential.
+   * - Metadata
+     - Description
+   * - Object Query (Required)
+     - Lookup query for the object.
+   * - Object Query Format
+     - Select ``Exact`` for a specific secret name, or ``Regexp`` for a secret that has a dynamically generated name.
+   * - Object Property
+     - Specifies the name of the property to return (e.g., ``UserName``, ``Address``, etc.) other than the default of ``Content``.
+   * - Reason
+     - If required per the object's policy, supply a reason for checking out the secret, as CyberArk logs those.
 
-.. image:: ../common/images/credentials-create-aws-secret-credential.png
+**CyberArk Conjur Secrets Lookup**
-   :width: 1400px
-   :alt: Example new AWS Secret Manager credential lookup dialog
 
+.. list-table::
+   :widths: 25 50
+   :header-rows: 1
+
+   * - Metadata
+     - Description
+   * - Secret Identifier
+     - The identifier for the secret.
+   * - Secret Version
+     - Specify a version of the secret, if necessary, otherwise, leave it empty to use the latest version.
+
+**HashiVault Secret Lookup**
+
+.. list-table::
+   :widths: 25 50
+   :header-rows: 1
+
+   * - Metadata
+     - Description
+   * - Name of Secret Backend
+     - Specify the name of the KV backend to use. Leave it blank to use the first path segment of the **Path to Secret** field instead.
+   * - Path to Secret (required)
+     - Specify the path to where the secret information is stored; for example, ``/path/username``.
+   * - Key Name (required)
+     - Specify the name of the key to look up the secret information.
+   * - Secret Version (V2 Only)
+     - Specify a version if necessary, otherwise, leave it empty to use the latest version.
+
+**HashiCorp Signed SSH**
+
+.. list-table::
+   :widths: 25 50
+   :header-rows: 1
+
+   * - Metadata
+     - Description
+   * - Unsigned Public Key (required)
+     - Specify the public key of the cert you want to get signed. It needs to be present in the authorized keys file of the target host(s).
+   * - Path to Secret (required)
+     - Specify the path to where the secret information is stored; for example, ``/path/username``.
+   * - Role Name (required)
+     - A role is a collection of SSH settings and parameters that are stored in Hashi vault. Typically, you can specify a couple of them with different privileges, timeouts, etc. So you could have a role that is allowed to get a cert signed for root, and other less privileged ones, for example.
+   * - Valid Principals
+     - Specify a user (or users) other than the default, that you are requesting vault to authorize the cert for the stored key. Hashi vault has a default user for whom it signs (e.g., ec2-user).
+
+**Azure KMS**
+
+.. list-table::
+   :widths: 25 50
+   :header-rows: 1
+
+   * - Metadata
+     - Description
+   * - Secret Name (required)
+     - The actual name of the secret as it is referenced in Azure's Key vault app.
+   * - Secret Version
+     - Specify a version of the secret, if necessary, otherwise, leave it empty to use the latest version.
+
+**Thycotic DevOps Secrets Vault**
+
+.. list-table::
+   :widths: 25 50
+   :header-rows: 1
+
+   * - Metadata
+     - Description
+   * - Secret Path (required)
+     - Specify the path to where the secret information is stored (e.g., /path/username).
+
+**Thycotic Secret Server**
+
+.. list-table::
+   :widths: 25 50
+   :header-rows: 1
+
+   * - Metadata
+     - Description
+   * - Secret ID (required)
+     - The identifier for the secret.
+   * - Secret Field
+     - Specify the field to be used from the secret.
 
 .. _ug_credentials_centrify:
 
 Centrify Vault Credential Provider Lookup
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. index::
    pair: credential types; Centrify
 
-You need the Centrify Vault web service running to store secrets in order for this integration to work. When **Centrify Vault Credential Provider Lookup** is selected for **Credential Type**, provide the following attributes to properly configure your lookup:
+You need the Centrify Vault web service running to store secrets in order for this integration to work. When **Centrify Vault Credential Provider Lookup** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:
 
 - **Centrify Tenant URL** (required): provide the URL used for communicating with Centrify's secret management system
 - **Centrify API User** (required): provide the username
@@ -194,12 +208,12 @@ Below shows an example of a configured CyberArk AIM credential.
 .. _ug_credentials_cyberarkccp:
 
 CyberArk Central Credential Provider (CCP) Lookup
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. index::
    single: CyberArk CCP
    pair: credential; CyberArk CCP
 
-You need the CyberArk Central Credential Provider web service running to store secrets in order for this integration to work. When **CyberArk Central Credential Provider Lookup** is selected for **Credential Type**, provide the following attributes to properly configure your lookup:
+You need the CyberArk Central Credential Provider web service running to store secrets in order for this integration to work. When **CyberArk Central Credential Provider Lookup** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:
 
 - **CyberArk CCP URL** (required): provide the URL used for communicating with CyberArk CCP's secret management system; must include URL scheme (http, https, etc.)
 - **Web Service ID**: optionally specify the identifier for the web service; leaving it blank defaults to AIMWebService
@@ -216,14 +230,14 @@ Below shows an example of a configured CyberArk CCP credential.
 .. _ug_credentials_cyberarkconjur:
 
 CyberArk Conjur Secrets Manager Lookup
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. index::
    single: CyberArk Conjur
    pair: credential; CyberArk Conjur
 
 With a Conjur Cloud tenant available to target, configure the CyberArk Conjur Secrets Lookup external management system credential plugin as documented.
 
-When **CyberArk Conjur Secrets Manager Lookup** is selected for **Credential Type**, provide the following attributes to properly configure your lookup:
+When **CyberArk Conjur Secrets Manager Lookup** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:
 
 - **Conjur URL** (required): provide the URL used for communicating with CyberArk Conjur's secret management system; must include URL scheme (http, https, etc.)
 - **API Key** (required): provide the key given by your Conjur admin
@@ -239,12 +253,12 @@ Below shows an example of a configured CyberArk Conjur credential.
 .. _ug_credentials_hashivault:
 
 HashiCorp Vault Secret Lookup
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. index::
    single: HashiCorp Secret Lookup
    pair: credential; HashiCorp KV
 
-When **HashiCorp Vault Secret Lookup** is selected for **Credential Type**, provide the following attributes to properly configure your lookup:
+When **HashiCorp Vault Secret Lookup** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:
 
 - **Server URL** (required): provide the URL used for communicating with HashiCorp Vault's secret management system
 - **Token**: specify the access token used to authenticate HashiCorp's server
@@ -277,7 +291,7 @@ Below shows an example of a configured HashiCorp Vault Secret Lookup  credential
 .. image:: ../common/images/credentials-create-hashicorp-kv-credential.png 
    :alt: Example new HashiCorp Vault Secret lookup dialog
 
-To test the lookup, create another credential that uses the HashiCorp Vault lookup. The example below shows the attributes for a machine credential configured to look up HashiCorp Vault secret credentials:
+To test the lookup, create another credential that uses the HashiCorp Vault lookup. The example below shows the metadata for a machine credential configured to look up HashiCorp Vault secret credentials:
 
 .. image:: ../common/images/credentials-machine-test-hashicorp-metadata.png 
    :alt: Example machine credential lookup metadata for HashiCorp Vault.
@@ -286,12 +300,12 @@ To test the lookup, create another credential that uses the HashiCorp Vault look
 .. _ug_credentials_hashivaultssh:
 
 HashiCorp Vault Signed SSH
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. index::
    single: HashiCorp SSH Secrets Engine
    pair: credential; HashiCorp SSH Secrets Engine
 
-When **HashiCorp Vault Signed SSH** is selected for **Credential Type**, provide the following attributes to properly configure your lookup:
+When **HashiCorp Vault Signed SSH** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:
 
 - **Server URL** (required): provide the URL used for communicating with HashiCorp Signed SSH's secret management system
 - **Token**: specify the access token used to authenticate HashiCorp's server
@@ -321,13 +335,13 @@ Below shows an example of a configured HashiCorp SSH Secrets Engine credential.
 .. _ug_credentials_azurekeyvault:
 
 Microsoft Azure Key Vault
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. index::
    single: MS Azure KMS
    pair: credential; MS Azure KMS
    triple: credential; Azure; KMS
 
-When **Microsoft Azure Key Vault** is selected for **Credential Type**, provide the following attributes to properly configure your lookup:
+When **Microsoft Azure Key Vault** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:
 
 - **Vault URL (DNS Name)** (required): provide the URL used for communicating with MS Azure's key management system
 - **Client ID** (required): provide the identifier as obtained by the Azure Active Directory
@@ -343,12 +357,12 @@ Below shows an example of a configured Microsoft Azure KMS credential.
 .. _ug_credentials_thycoticvault:
 
 Thycotic DevOps Secrets Vault
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. index::
    single: Thycotic DevOps Secrets Vault
    pair: credential; Thycotic DevOps Secrets Vault
 
-When **Thycotic DevOps Secrets Vault** is selected for **Credential Type**, provide the following attributes to properly configure your lookup:
+When **Thycotic DevOps Secrets Vault** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:
 
 - **Tenant** (required): provide the URL used for communicating with Thycotic's secret management system
 - **Top-level Domain (TLD)** : provide the top-level domain designation (e.g., com, edu, org) associated with the secret vault you want to integrate
@@ -365,12 +379,12 @@ Below shows an example of a configured Thycotic DevOps Secrets Vault credential.
 .. _ug_credentials_thycoticserver:
 
 Thycotic Secret Server
-~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^
 .. index::
    single: Thycotic Secret Server
    pair: credential; Thycotic Secret Server
 
-When **Thycotic Secrets Server** is selected for **Credential Type**, provide the following attributes to properly configure your lookup:
+When **Thycotic Secrets Server** is selected for **Credential Type**, provide the following metadata to properly configure your lookup:
 
 - **Secret Server URL** (required): provide the URL used for communicating with the Thycotic Secrets Server management system
 - **Username** (required): specify the authenticated user for this service

docs/docsite/rst/userguide/credentials.rst

@@ -128,7 +128,7 @@ The following credential types are supported with AWX:
 .. contents::
     :local:
 
-The credential types associated with AWS Secrets Manager, Centrify, CyberArk, HashiCorp Vault, Microsoft Azure Key Management System (KMS), and Thycotic are part of the credential plugins capability that allows an external system to lookup your secrets information. See the :ref:`ug_credential_plugins` section for further detail.
+The credential types associated with Centrify, CyberArk, HashiCorp Vault, Microsoft Azure Key Management System (KMS), and Thycotic are part of the credential plugins capability that allows an external system to lookup your secrets information. See the :ref:`ug_credential_plugins` section for further detail.
 
 
 .. _ug_credentials_aws:
@@ -166,10 +166,6 @@ AWX provides support for EC2 STS tokens (sometimes referred to as IAM STS creden
 
   To use implicit IAM role credentials, do not attach AWS cloud credentials in AWX when relying on IAM roles to access the AWS API.  While it may seem to make sense to attach your AWS cloud credential to your job template, doing so will force the use of your AWS credentials and will not "fall through" to use your IAM role credentials (this is due to the use of the boto library.)
 
-AWS Secrets Manager 
-^^^^^^^^^^^^^^^^^^^^^
-This is considered part of the secret management capability. See :ref:`ug_credentials_aws_lookup` for more detail.
-
 
 Ansible Galaxy/Automation Hub API Token
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

requirements/requirements.in

@@ -1,4 +1,4 @@
-aiohttp>=3.8.6  # CVE-2023-47627
+aiohttp
 ansiconv==1.0.0  # UPGRADE BLOCKER: from 2013, consider replacing instead of upgrading
 asciichartpy
 asn1
@@ -8,7 +8,7 @@ boto3
 botocore
 channels
 channels-redis==3.4.1  # see UPGRADE BLOCKERs
-cryptography>=41.0.6  # CVE-2023-49083
+cryptography>=41.0.2  # CVE-2023-38325
 Cython<3 # this is needed as a build dependency, one day we may have separated build deps
 daphne
 distro
@@ -26,10 +26,10 @@ django-split-settings==1.0.0    # We hit a strange issue where the release proce
 djangorestframework
 djangorestframework-yaml
 filelock
-GitPython>=3.1.37  # CVE-2023-41040
+GitPython>=3.1.32  # CVE-2023-40267
 hiredis==2.0.0  # see UPGRADE BLOCKERs
 irc
-jinja2>=3.1.3  # CVE-2024-22195
+jinja2
 JSON-log-formatter
 jsonschema
 Markdown  # used for formatting API help
@@ -49,20 +49,20 @@ pyyaml>=6.0.1
 receptorctl
 social-auth-core[openidconnect]==4.4.2  # see UPGRADE BLOCKERs
 social-auth-app-django==5.4.0  # see UPGRADE BLOCKERs
-sqlparse>=0.4.4   # Required by django https://github.com/ansible/awx/security/dependabot/96
+sqlparse >= 0.4.4   # Required by django https://github.com/ansible/awx/security/dependabot/96
 redis
 requests
 slack-sdk
 tacacs_plus==1.0  # UPGRADE BLOCKER: auth does not work with later versions
 twilio
-twisted[tls]>=23.10.0  # CVE-2023-46137
+twisted[tls]
 uWSGI
 uwsgitop
 wheel>=0.38.1 # CVE-2022-40898
 pip==21.2.4  # see UPGRADE BLOCKERs
 setuptools  # see UPGRADE BLOCKERs
 setuptools_scm[toml]  # see UPGRADE BLOCKERs, xmlsec build dep
-setuptools-rust>=0.11.4  # cryptography build dep
+setuptools-rust >= 0.11.4 # cryptography build dep
 pkgconfig>=1.5.1  # xmlsec build dep - needed for offline build
 
 # Temporarily added to use ansible-runner from git branch, to be removed

requirements/requirements.txt

@@ -1,6 +1,6 @@
 adal==1.2.7
     # via msrestazure
-aiohttp==3.9.3
+aiohttp==3.8.3
     # via -r /awx_devel/requirements/requirements.in
 aioredis==1.3.1
     # via channels-redis
@@ -70,12 +70,14 @@ channels==3.0.5
 channels-redis==3.4.1
     # via -r /awx_devel/requirements/requirements.in
 charset-normalizer==2.1.1
-    # via requests
+    # via
+    #   aiohttp
+    #   requests
 click==8.1.3
     # via receptorctl
 constantly==15.1.0
     # via twisted
-cryptography==41.0.7
+cryptography==41.0.3
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   adal
@@ -161,7 +163,7 @@ frozenlist==1.3.3
     #   aiosignal
 gitdb==4.0.10
     # via gitpython
-gitpython==3.1.42
+gitpython==3.1.32
     # via -r /awx_devel/requirements/requirements.in
 google-auth==2.14.1
     # via kubernetes
@@ -214,7 +216,7 @@ jaraco-text==3.11.0
     # via
     #   irc
     #   jaraco-collections
-jinja2==3.1.3
+jinja2==3.1.2
     # via -r /awx_devel/requirements/requirements.in
 jmespath==1.0.1
     # via
@@ -360,7 +362,7 @@ pyyaml==6.0.1
     #   djangorestframework-yaml
     #   kubernetes
     #   receptorctl
-receptorctl==1.4.4
+receptorctl==1.4.2
     # via -r /awx_devel/requirements/requirements.in
 redis==4.3.5
     # via -r /awx_devel/requirements/requirements.in
@@ -438,7 +440,7 @@ tomli==2.0.1
     # via setuptools-scm
 twilio==7.15.3
     # via -r /awx_devel/requirements/requirements.in
-twisted[tls]==23.10.0
+twisted[tls]==22.10.0
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   daphne