AWX docker: How to authenticate with Azure using Active Directory. Will not work for me

Question

I've been banging my head for about a week now.

I have AWX running via docker-compose and setup on an EC2 instance. My department does not have credentials to create Azure Service Principals so while I'm waiting on that request to go through I'm trying to get AWX to authenticate with Azure via active directory credentials. While testing, for simplicity, I have a test task setup that runs azure_rm_dnsrecordset_facts, so I can simply pull a TXT record to show that authentication is authenticating. On my development machine I can install azure cli, run az login and execute playbooks et al via ansible-playbook command, and it works: I can see the test pulls the expected TXT record. But on AWX I get errors.

Using az login and copying the files at /root/.azure/ to /var/lib/awx/.azure/ I get this error:

{
    "_ansible_parsed": false,
    "exception": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 113, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 105, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 48, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 202, in <module>\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 198, in main\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 133, in __init__\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/ansible_azure_rm_dnsrecordset_facts_payload.zip/ansible/module_utils/azure_rm_common.py\", line 301, in __init__\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/ansible_azure_rm_dnsrecordset_facts_payload.zip/ansible/module_utils/azure_rm_common.py\", line 1045, in __init__\n  File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 383, in __init__\n    self.set_token()\n  File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 415, in set_token\n    raise_with_traceback(AuthenticationError, \"\", err)\n  File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrest/exceptions.py\", line 48, in raise_with_traceback\n    raise error\nmsrest.exceptions.AuthenticationError: , InvalidGrantError: (invalid_grant) AADSTS50126: Invalid username or password.\r\nTrace ID: 01cd8ac6-1c05-4391-96da-031e0da30500\r\nCorrelation ID: 03f28850-04cf-4344-b405-18594d8845a1\r\nTimestamp: 2019-05-24 20:00:26Z\n",
    "_ansible_no_log": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 113, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 105, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1558728025.48-180262108746971/AnsiballZ_azure_rm_dnsrecordset_facts.py\", line 48, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 202, in <module>\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 198, in main\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/__main__.py\", line 133, in __init__\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/ansible_azure_rm_dnsrecordset_facts_payload.zip/ansible/module_utils/azure_rm_common.py\", line 301, in __init__\n  File \"/tmp/ansible_azure_rm_dnsrecordset_facts_payload_PlPfUW/ansible_azure_rm_dnsrecordset_facts_payload.zip/ansible/module_utils/azure_rm_common.py\", line 1045, in __init__\n  File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 383, in __init__\n    self.set_token()\n  File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 415, in set_token\n    raise_with_traceback(AuthenticationError, \"\", err)\n  File \"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/msrest/exceptions.py\", line 48, in raise_with_traceback\n    raise error\nmsrest.exceptions.AuthenticationError: , **InvalidGrantError: (invalid_grant) AADSTS50126: Invalid username or password**.\r\nTrace ID: 01cd8ac6-1c05-4391-96da-031e0da30500\r\nCorrelation ID: 03f28850-04cf-4344-b405-18594d8845a1\r\nTimestamp: 2019-05-24 20:00:26Z\n",
    "changed": false,
    "module_stdout": "",
    "rc": 1,
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}

while using ad_username, password and subscription_id values as environment variables, extra vars and passed into the module from the vault all result in the same error:

{
    "_ansible_parsed": true,
    "_ansible_no_log": false,
    "invocation": {
        "module_args": {
            "profile": null,
            "resource_group": "publicdns**********",
            "tags": null,
            "cloud_environment": "AzureCloud",
            "relative_name": "_acme-challenge",
            "record_type": "TXT",
            "client_id": null,
            "api_profile": "latest",
            "adfs_authority_url": null,
            "zone_name": "*************",
            "password": null,
            "tenant": null,
            "top": "100",
            "append_tags": true,
            "ad_user": null,
            "cert_validation_mode": null,
            "secret": null,
            "auth_source": null,
            "subscription_id": null
        }
    },
    "changed": false,
    "msg": "**Failed to get credentials. Either pass as parameters, set environment variables, define a profile in ~/.azure/credentials, or log in with Azure CLI (`az login`)**."
}

Is it just me or is this a bug? I can't find anything that explicitly walks you through setting this up, except what I've found reading through the docs. I expected this to be straight forward and so far it's been anything but.

Here are one of the docs I've followed most recently: https://docs.ansible.com/ansible-tower/3.2.6/html/userguide/credentials.html#microsoft-azure-resource-manager

Thanks for the help. Here is a list of things I've tried:

• Setting environment variables for AZURE_AD_USER, AZURE_PASSWORD and AZURE_SUBSCRIPTION_ID in both awx_task and awx_web containers.

• I have set ad_user, password and subscription_id credentials as as extra vars.

• I have placed credentials in the vault and passed directly to the ansible module, with and without azure_adfs_authority_url.

• In the awx_task docker container I have installed ansible[azure] and azure cli, run az login, verified the /root/.azure/azureProfile.json file is populated.

• I have copied the files from /root/.azure/ to /var/lib/awx/.azure/ which is where it appears AWX is looking for these files. I've also verified read write access and file ownership.

• I tinkered with the Microsoft Azure Resource Manager credential but it appears to not be what I want.

  • ON The EC2 instance, nslookup for the azure_adfs_authority_url shows that it is hitting the correct ADFS server.

Thanks for your help

Answer 1

The error is "AADSTS50126 invalid username or password" so I would suggest you to double check and ensure that the username or password are correct for the managed domain to connect. If still issue persists then (AFAIK mostly authentication fails for federated Azure tenants so) give a try by resetting the password of the user and/or try by setting tenant_id / tenant as well. A similar issue is raised here which you may check for future updates.

Hope this helps!!