- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Re: Ansible with api-key
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ansible with api-key
Hello CheckMates,
Because I haven't found an answer in google, and here using search .. I decided to ask you about this.
I was wondering if it's possible to use api-key authorization with ansible ?
As we all know configuration in file /etc/ansible/hosts looks like this:
[check_point]
10.0.0.1
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=apiuser
ansible_password=s3cr3tp4$$word
ansible_network_os=check_point.mgmt.checkpoint
But....
How much prettier it would be if we could use instead of ansible_user + ansible_password ... something like ansible_api_key.
I haven't found that it is possible ... but maybe someone else thought about this aswell and ... just maybe there is a way ?
--
Best
Marcin
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, it looks like mistery is solved !
Below I will write how to solve this issue.
Because I have debian 11 I used repository that is mentioned here:
https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansi...
And from that repository I installed ansible.
It was as you already saw on one of my previous posts version 2.12.9 (core), later I upgraded it to 2.12.10.
Because @StuartGreen mentioned version 2.13.3 and 2.13.4 ... which are no present in this repository I decided to uninstall completely ansible and to reinstall it via pip3.
So I ended up with this:
pip3 install ansible
And it gave me:
# ansible --version
ansible [core 2.13.5]
And with this version I have no issue at all with ansible_api_key:
# ansible-playbook playbook_add.yaml
PLAY [playbook] ********************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************
ok: [172.19.99.253]
TASK [add host] ********************************************************************************************************
changed: [172.19.99.253]
TASK [add host to group] ***********************************************************************************************
changed: [172.19.99.253]
TASK [publish] *********************************************************************************************************
changed: [172.19.99.253]
TASK [install policy] **************************************************************************************************
changed: [172.19.99.253]
PLAY RECAP *************************************************************************************************************
172.19.99.253 : ok=5 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
# tail -n 10 /etc/ansible/hosts
[check_point]
172.19.99.253
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_api_key=xj56ETO+ywCRwaoDgrFTQ==
ansible_network_os=check_point.mgmt.checkpoint
So case closed ... solution was extremely easy ... if you know that you have to use correct version 🙂
In Check Point's collection documentation it was only mentioned that ansible verstion have to be greater then 2.9.
So in case someone else has the same issue and is wondering how to solve it => use different version of ansible, in my case 2.13.5 did the trick.
Thanks @StuartGreen, @Omer_Kleinstern and @PhoneBoy for your feedback.
--
Best
Marcin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @marcyn ,
Yes, it's possible to use api-key authorization with ansible.
Replace ansible_user + ansible_password with ansible_api_key.
Thanks,
Omer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Omer,
Ah ... if that would be so easy... I already tried that, of course 🙂
[check_point]
10.0.0.1
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
#ansible_user=apiuser
#ansible_password=qwerty123
ansible_api_key=yfD6ETO+ywCRwaoDxIUkTQ==
ansible_network_os=check_point.mgmt.checkpoint
And the result:
# ansible-playbook playbook_add.yaml
PLAY [playbook] ************************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************ok: [10.0.0.1]
TASK [add host] ************************************************************************************************************************************An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: 'Connection' object has no attribute '_session_uid'
(...)
PLAY RECAP *****************************************************************************************************************************************10.0.0.1
: ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
If you are wondering if this api-key is valid ... here, take a look:
mgmt_cli --api-key "yfD6ETO+ywCRwaoDxIUkTQ==" -m 10.0.0.1 login
uid: "96259ea1-d710-422f-ba2f-b02bbe196489"
sid: "nF4D-VqA1h7J4vUIeM1gwSAARt7lQI52kdnvr6whesg"
url: "https://10.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1666349488319
iso-8601: "2022-10-21T12:51+0200"
api-server-version: "1.8"
user-name: "api"
user-uid: "dc0b1c70-5b38-4443-9e8c-0c42850c468d"
So yes ... it's valid 🙂
So again .. if it would be so easy ... I wouldn't probably ask.
But maybe I'm doing something wrong ?
--
Best
Marcin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's definitely supported and works fine. Which module version are you using? You can see it mentioned in the plugin here:
Make sure you're not sending a username and password somewhere else in your play as an additional variable as that will cause the plugin to ignore the API key.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stuart,
Yes, I've already seen this site that you just mentioned... and it looks as if it should be supported ... but it doesn't work for me.
I have the newest ansible and the newest checkpoint module:
# ansible --version
ansible [core 2.12.9]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
jinja version = 2.11.3
libyaml = True
# head .ansible/collections/ansible_collections/check_point/mgmt/CHANGELOG.rst
==============================
Check_Point.Mgmt Release Notes
==============================
.. contents:: Topics
v4.0.0
======
And of course when I change /etc/ansible/hosts to use ansible_api_key ... I also comment out/remove ansible_user + ansible_password
What's funny is that when I have this ansible_api_key in /etc/ansible/hosts it works "strange" because ansible starts with "logout" command 🙂
# tail -f $FWDIR/log/api.elg
2022-11-02 17:00:58,049 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp1587849480-90] - Inbound Message
----------------------------
ID: 12199
Address: http://127.0.0.1:65456/web_api/logout
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {accept-encoding=[identity], connection=[keep-alive], Content-Length=[2], content-type=[application/json], Host=[127.0.0.1:65456], User-Agent=[Ansible], X-Forwarded-For=[172.19.99.100], X-Forwarded-Host=[172.19.99.253:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[172.19.99.253]}
Payload: {}
--------------------------------------
2022-11-02 17:00:58,049 ERROR com.checkpoint.management.web_api.core.cxf.interceptor.WebApiInInterceptorSessionValidator.handleMessage:31 [qtp1587849480-90] - Session validation has failed
(...)
ID: 12199
Response-Code: 400
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Wed, 02 Nov 2022 16:00:58 GMT]}
Payload: {
"code" : "generic_err_missing_required_header",
"message" : "Missing header: [X-chkp-sid]"
}
no login ... first ... so it's not strange that logout doesn't have session_id 🙂
And no entry at all into $FWDIR/log/api.csv...
But with ansible_user + ansible_password:
2022-11-02 17:04:59,426 DEBUG com.checkpoint.management.web_api.core.cxf.interceptor.WebApiInInterceptorLoginValidator.handleMessage:32 [qtp1587849480-88] - Validating 'login' command of the version: [1.8]
2022-11-02 17:04:59,426 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp1587849480-88] - Inbound Message
----------------------------
ID: 12203
Address: http://127.0.0.1:65456/web_api/login
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {accept-encoding=[identity], Authorization=[Basic YWRtaW46MXFhekBXU1g=], connection=[keep-alive], Content-Length=[41], content-type=[application/json], Host=[127.0.0.1:65456], User-Agent=[Ansible], X-Forwarded-For=[172.19.99.100], X-Forwarded-Host=[172.19.99.253:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[172.19.99.253]}
(...)
ID: 12203
Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Wed, 02 Nov 2022 16:05:00 GMT]}
Payload: {
"uid" : "2d35b5f9-2b61-4b75-9e6d-8ac8656d195f",
"sid" : "ad05d22ae40bc55426980e0a93b82433",
"url" : "https://172.19.99.253:443/web_api",
"session-timeout" : 600,
"last-login-was-at" : {
"posix" : 1667378605905,
"iso-8601" : "2022-11-02T09:43+0100"
},
"api-server-version" : "1.8",
"user-name" : "admin",
"user-uid" : "33efce7f-77bb-4874-859b-793b83190f48"
}
No issues at all 😉
And of course in $FWDIR/log/api.csv I see:
2022-11-02,17:07:06 +0100,"Ansible","172.19.99.100","172.19.99.253:443",login,PASSED,855
--
Best
Marcin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this feels a little like a weird problem I encountered recently where ansible wasn't sending the domain parameter in the login request. The 'solution' (which I'm not 100% convinced is actually addressing the root of the problem) was to roll back to the previous version of ansible-core (2.13.3 worked for me, 2.13.4 did not - but with a completely different user on the same Ubuntu host both versions worked).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version/JHF is the management?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stuart and PhoneBoy,
I will try older version of ansible .... it would be strange if that will fix the issue ... but I will give it a try.
Regarding SMS - it's R81.10 Take66 but I can update it (it's lab env.) to Take78 and take a look.
--
Best
m.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, it looks like mistery is solved !
Below I will write how to solve this issue.
Because I have debian 11 I used repository that is mentioned here:
https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansi...
And from that repository I installed ansible.
It was as you already saw on one of my previous posts version 2.12.9 (core), later I upgraded it to 2.12.10.
Because @StuartGreen mentioned version 2.13.3 and 2.13.4 ... which are no present in this repository I decided to uninstall completely ansible and to reinstall it via pip3.
So I ended up with this:
pip3 install ansible
And it gave me:
# ansible --version
ansible [core 2.13.5]
And with this version I have no issue at all with ansible_api_key:
# ansible-playbook playbook_add.yaml
PLAY [playbook] ********************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************
ok: [172.19.99.253]
TASK [add host] ********************************************************************************************************
changed: [172.19.99.253]
TASK [add host to group] ***********************************************************************************************
changed: [172.19.99.253]
TASK [publish] *********************************************************************************************************
changed: [172.19.99.253]
TASK [install policy] **************************************************************************************************
changed: [172.19.99.253]
PLAY RECAP *************************************************************************************************************
172.19.99.253 : ok=5 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
# tail -n 10 /etc/ansible/hosts
[check_point]
172.19.99.253
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_api_key=xj56ETO+ywCRwaoDgrFTQ==
ansible_network_os=check_point.mgmt.checkpoint
So case closed ... solution was extremely easy ... if you know that you have to use correct version 🙂
In Check Point's collection documentation it was only mentioned that ansible verstion have to be greater then 2.9.
So in case someone else has the same issue and is wondering how to solve it => use different version of ansible, in my case 2.13.5 did the trick.
Thanks @StuartGreen, @Omer_Kleinstern and @PhoneBoy for your feedback.
--
Best
Marcin