mirror of
https://github.com/ansible/awx.git
synced 2026-01-11 10:00:01 -03:30
31e47706b9
- Sequentiallize auth config removal migrations - Remove references to third party auth - update license files - lint fix - Remove unneeded docs - Remove unreferenced file - Remove social auth references from docs - Remove rest of sso dir - Remove references to third part auth in docs - Removed screenshots of UI listing removed settings - Remove AuthView references - Remove unused imports ... Co-Authored-By: jessicamack <21223244+jessicamack@users.noreply.github.com>
24 lines
1.1 KiB
Markdown
24 lines
1.1 KiB
Markdown
Extracting Credential Values
|
|
============================
|
|
|
|
AWX stores a variety of secrets in the database that are either used for automation or are a result of automation. These secrets include:
|
|
|
|
- all secret fields of all credential types (passwords, secret keys, authentication tokens, secret cloud credentials)
|
|
- secret tokens and passwords for external services defined in AWX settings
|
|
- "password" type survey fields entries
|
|
|
|
To encrypt secret fields, AWX uses AES in CBC mode with a 256-bit key for encryption, PKCS7 padding, and HMAC using SHA256 for authentication.
|
|
|
|
If necessary, credentials and encrypted settings can be extracted using the AWX shell:
|
|
|
|
```python
|
|
$ awx-manage shell_plus
|
|
>>> from awx.main.utils import decrypt_field
|
|
>>> print(decrypt_field(Credential.objects.get(name="my private key"), "ssh_key_data")) # Example for a credential
|
|
>>> print(decrypt_field(Setting.objects.get(key='setting'), 'value')) # Example for a setting
|
|
```
|
|
|
|
If you are running a kubernetes based deployment, you can execute awx-manage like this:
|
|
```bash
|
|
$ kubectl exec --stdin --tty [instance name]-task-[...] -c [instance name]-task -- awx-manage shell_plus
|
|
``` |