Ansible Tower: Dynamic Usernames
The slow drift toward the Red Hat Ansible Tower uncovers more and more compatibility issues, so I have to go back and revisit some decisions and make sure that the same code would fit both worlds.
The slow drift toward the Red Hat Ansible Tower uncovers more and more compatibility issues, so I have to go back and revisit some decisions and make sure that the same code would fit both worlds.
Some six months ago, I posted a note on dynamic Ansible user configuration. The reason I have to do it: an independent set of credentials for the restricted environment, where a username is a derivative from the primary username. The solution works well with the Red Hat Ansible but has failed as a part of the Ansible Tower workflow.
The error message suggested that I have no account nor private keys to access my targets, even though I configured the template with all the appropriate SSH keys and security settings. I haven't dwelt much on that problem, but after a while, my brain came up with the insight: "The user on the Tower machine is not necessarily the same user I use to login Ansible Tower."
Now everything has fallen into place, and with extra variables populated for each job instance. I have fixed the job.
secured_servers:
vars:
ansible_user: "priv_{{ tower_user_name |default(lookup('env','USER')) }}"
hosts:
host1.secure.domain.com:
host2.secure.domain.com:
... The Ansible engine would try to use tower_user_name variable to calculate new credentials. And if it is not the Ansible Tower job, it will use a username from the controller environment.