AWX/AAP

Last modified by Tomas Terälä on 2025/06/05 11:01

Using Azure Key Vault with AWX/AAP

(For simplicity, AWX/AAP is replaced by AWX, but as AWX is the upstream of AAP, the two are generally interchangeable).

TL;DR

Inside Azure, a Service Principal with at least the role Key Vault Secrets User for a Key Vault is required. Then a Credential that describes the access to the Vault is created. This Credential can be used to fill in forms for other types of credentials.

Authentication from AWX to Azure Key Vault requires a Service Principal. The Service Principal should also have access to the desired key vault, specifically the role of Key Vault Secrets User.

In AWX, go to Resources -> Credentials -> Add and select the Microsoft Azure Key Vault credential type.

Name	An identifier used within AWX to locate this Credential, for example the name of the Key Vault
Organization	The organization that should have access to this Credential
Credential type	Microsoft Azure Key Vault
Vault URL (DNS Name)	From Azure: Vault URI
Client ID	AppID for the Service Principal
Client Secret	The Secret for the Service Principal
Tenant ID	The TenantID for the Service Principal
Cloud Environment	AzureCloud, unless otherwise specified

Working examples

Below an example of a Credential that authenticates to a Key Vault.

Testing the credential

When in Edit mode, a Test button is displayed. By inputting the name of an existing Secret in the Key Vault, the connection can be tested. The possible results are:

Message	Explanation
Test passed	The credential works and the Secret exists

ResourceNotFoundError	The credential works but the Secret does not exist. This could also be because the Secret was created before the Service Principal was given access to the Vault.
ClientAuthenticationError	There is something wrong with the authentication information
HTTPAccessError	Did you remember to add the role Key Secrets User to the Service Principal?

Using a defined Azure Key Vault

After you create a Microsoft Azure Key Vault type credential, you can enter the Azure Key Vault secrets into other credentials. The name of the key and optionally the version of the secret can be specified after clicking on the key icon.

Retrieving an Ansible vault password from Azure Key Vault

Let's say our repository contains an ansible vault file. The password for the vault can be retrieved from Azure Key Vault by clicking the key icon

Now this Credential can be used in Templates and the required password will be retrieved from Azure Key Vault.

Retrieving Machine credentials from Azure Key Vault

The Credential can be used to retrieve usernames, passwords and ssh keys from the Azure Key Vaults.