Unable to run cyberark.conjur.conjur_host_identity role.

[R3DRUN3]

Summary

Unable to run cyberark.conjur.conjur_host_identity role.

Steps to Reproduce

1. Create a conjur host-factory.
2. Generate host factory token:

conjur -i hostfactory create token -i ansible-test-factory --duration-days 2

3. Export host factory token as env var.

4. Run the playbook.

This is the playbook that I am using:

- hosts: localhost
  roles:
    - role: cyberark.conjur.conjur_host_identity
      conjur_appliance_url: 'https://conjur-lb.vsphere.playground.com'
      conjur_account: 'default'
      conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}"
      conjur_host_name: "{{ inventory_hostname }}"
      conjur_ssl_certificate: "{{ lookup('file', 'conjur-cert.cer') }}"
      conjur_validate_certs: yes

Expected Results

The playbook run without errors.

Actual Results

The playbook fail, these are the logs:

PLAY [localhost] ***********************************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************************************
ok: [localhost]

TASK [cyberark.conjur.conjur_host_identity : Check if /etc/conjur.identity already exists] *********************************************************************************************************
ok: [localhost] => {"changed": false, "stat": {"exists": false}}

TASK [cyberark.conjur.conjur_host_identity : Set fact "conjurized"] ********************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"conjurized": false}, "changed": false}

TASK [cyberark.conjur.conjur_host_identity : Ensure all required variables are set] ****************************************************************************************************************
skipping: [localhost] => (item=default)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "default", "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=https://conjur-lb.vsphere.playground.com)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "https://conjur-lb.vsphere.playground.com", "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=localhost)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "localhost", "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}

TASK [cyberark.conjur.conjur_host_identity : Set fact "ssl_configuration"] *************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"ssl_configuration": true}, "changed": false}

TASK [cyberark.conjur.conjur_host_identity : Ensure all required ssl variables are set] ************************************************************************************************************
skipping: [localhost] => (item=-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUeO2/+zmaBjmfJRxB1bwzM93lnmAwDQYJKoZIhvcNAQEL
BQAwUTEQMA4GA1UECgwHZGVmYXVsdDESMBAGA1UECwwJQ29uanVyIENBMSkwJwYD
VQQDDCBjb25qdXItbGIudnNwaGVyZS5wbGF5Z3JvdW5kLmNvbTAeFw0yMzAxMTAx
MTI3MzRaFw0zMzAxMDcxMTI3MzRaMCsxKTAnBgNVBAMMIGNvbmp1ci1sYi52c3Bo
ZXJlLnBsYXlncm91bmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvP11Ad8F8rVQXGrvhqv4yBhCLW+E85KnNV9TjNiV0fojrQMNHTIWwY5TL8vL
kTohi6NTHPZCBu6ig1sAwlvwF72oHrjDITN7YUxUcgCAuQzEG4lK2cPNWkmsMlaZ
e9ECJguvIh1QF+TW+72CIESR9IQeQKuPwZis7VBqbInQboiYHb849xVWIpzdQH2D
4IGhknuZQCUUOYbtpp1aJOJnQvEwFZ2hwzlK2i63JA18SafPHxt91r4TC9Jih3wN
CriL/TtFaz9/n0CQM1HETpt3B00aRom6QI6dnqixACJ2fuNqyiqnn53c7HiLWCvQ
/vJ46CTGxOKeae+sBeDjGrjTkQIDAQABo4HFMIHCMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwgZAGA1UdEQSBiDCBhYIgY29u
anVyLWxiLnZzcGhlcmUucGxheWdyb3VuZC5jb22CH2Nvbmp1ci0xLnZzcGhlcmUu
cGxheWdyb3VuZC5jb22CH2Nvbmp1ci0yLnZzcGhlcmUucGxheWdyb3VuZC5jb22C
H2Nvbmp1ci0zLnZzcGhlcmUucGxheWdyb3VuZC5jb20wDQYJKoZIhvcNAQELBQAD
ggEBADjwsbz7BG641cWjokup7b4MT6Q1ts8cbKg3rFRH8IP2p3KA0amzDvnGXehF
RJ83rj9wXdPBpxfzRCvkqw8u4et1fXZ7XyirrqBZh0eQWu5ix/Sd9NdOE8DLw+Xz
wAsaGp7NgpBK3gs3k5iX38yk0Gstk3Y7fjzqUmRSeJ9EOs3Wpe+hxfkurS9HDAMy
M0iVnZDvEsRLeGYELa685Ga6/lSBXshMbmLDISF0M3LqgNYDCJZPJLYY5pf6XDfv
Wt4QUEbBrpX11OMBRyRYZW3Nf7LIaNGxzitTbNdCpJqjwyJV2J9eX3VFtrVaPczs
TmwipMTS+WBhDto0a6pZ74J5shU=
-----END CERTIFICATE-----)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "-----BEGIN CERTIFICATE-----\nMIID0DCCArigAwIBAgIUeO2/+zmaBjmfJRxB1bwzM93lnmAwDQYJKoZIhvcNAQEL\nBQAwUTEQMA4GA1UECgwHZGVmYXVsdDESMBAGA1UECwwJQ29uanVyIENBMSkwJwYD\nVQQDDCBjb25qdXItbGIudnNwaGVyZS5wbGF5Z3JvdW5kLmNvbTAeFw0yMzAxMTAx\nMTI3MzRaFw0zMzAxMDcxMTI3MzRaMCsxKTAnBgNVBAMMIGNvbmp1ci1sYi52c3Bo\nZXJlLnBsYXlncm91bmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAvP11Ad8F8rVQXGrvhqv4yBhCLW+E85KnNV9TjNiV0fojrQMNHTIWwY5TL8vL\nkTohi6NTHPZCBu6ig1sAwlvwF72oHrjDITN7YUxUcgCAuQzEG4lK2cPNWkmsMlaZ\ne9ECJguvIh1QF+TW+72CIESR9IQeQKuPwZis7VBqbInQboiYHb849xVWIpzdQH2D\n4IGhknuZQCUUOYbtpp1aJOJnQvEwFZ2hwzlK2i63JA18SafPHxt91r4TC9Jih3wN\nCriL/TtFaz9/n0CQM1HETpt3B00aRom6QI6dnqixACJ2fuNqyiqnn53c7HiLWCvQ\n/vJ46CTGxOKeae+sBeDjGrjTkQIDAQABo4HFMIHCMA4GA1UdDwEB/wQEAwIFoDAd\nBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwgZAGA1UdEQSBiDCBhYIgY29u\nanVyLWxiLnZzcGhlcmUucGxheWdyb3VuZC5jb22CH2Nvbmp1ci0xLnZzcGhlcmUu\ncGxheWdyb3VuZC5jb22CH2Nvbmp1ci0yLnZzcGhlcmUucGxheWdyb3VuZC5jb22C\nH2Nvbmp1ci0zLnZzcGhlcmUucGxheWdyb3VuZC5jb20wDQYJKoZIhvcNAQELBQAD\nggEBADjwsbz7BG641cWjokup7b4MT6Q1ts8cbKg3rFRH8IP2p3KA0amzDvnGXehF\nRJ83rj9wXdPBpxfzRCvkqw8u4et1fXZ7XyirrqBZh0eQWu5ix/Sd9NdOE8DLw+Xz\nwAsaGp7NgpBK3gs3k5iX38yk0Gstk3Y7fjzqUmRSeJ9EOs3Wpe+hxfkurS9HDAMy\nM0iVnZDvEsRLeGYELa685Ga6/lSBXshMbmLDISF0M3LqgNYDCJZPJLYY5pf6XDfv\nWt4QUEbBrpX11OMBRyRYZW3Nf7LIaNGxzitTbNdCpJqjwyJV2J9eX3VFtrVaPczs\nTmwipMTS+WBhDto0a6pZ74J5shU=\n-----END CERTIFICATE-----", "skip_reason": "Conditional result was False"}
skipping: [localhost] => (item=True)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": true, "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}

TASK [cyberark.conjur.conjur_host_identity : Set fact "ssl file path"] *****************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"conjur_ssl_certificate_path": "/etc/conjur.pem"}, "changed": false}

TASK [cyberark.conjur.conjur_host_identity : Set fact "non ssl configuration"] *********************************************************************************************************************
skipping: [localhost] => {"changed": false, "false_condition": "not ssl_configuration", "skip_reason": "Conditional result was False"}

TASK [cyberark.conjur.conjur_host_identity : Warn against using insecure connection schemes] *******************************************************************************************************
skipping: [localhost] => {"false_condition": "not ssl_configuration"}

TASK [cyberark.conjur.conjur_host_identity : Ensure "conjur_host_factory_token" is set (if node is not already conjurized)] ************************************************************************
skipping: [localhost] => (item=<TOKEN-HERE>)  => {"ansible_loop_var": "item", "changed": false, "false_condition": "item is undefined", "item": "<TOKEN-HERE>", "skip_reason": "Conditional result was False"}
skipping: [localhost] => {"changed": false, "msg": "All items skipped"}

TASK [cyberark.conjur.conjur_host_identity : Create group conjur] **********************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Username and password must be provided.\n", "name": "conjur"}

PLAY RECAP *****************************************************************************************************************************************************************************************
localhost                  : ok=5    changed=0    unreachable=0    failed=1    skipped=5    rescued=0    ignored=0 

Reproducible

• Always

Version/Tag number

ansible --version && echo " " && ansible-galaxy collection list | grep cyberark                                                                                                 

ansible [core 2.15.0]
  config file = None
  configured module search path = ['/Users/rago/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/8.0.0/libexec/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/rago/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.4 (main, Jun  7 2023, 00:42:15) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/usr/local/Cellar/ansible/8.0.0/libexec/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
 
cyberark.conjur               1.2.0  
cyberark.conjur               1.2.0  
cyberark.pas                  1.0.19

Environment setup

Ansible run on local machine and conjur run on remote VM (connection via VPN).

Additional Information

• conjur is reachable from my local machine and I am able to retrieve secrets.
• If I remove the conjur_ssl_certificate and conjur_validate_certs role variables (which are not mandatory!), the playbook fails with the following error:

fatal: [localhost]: FAILED! => {"msg": "'conjur_ssl_certificate' is undefined. 'conjur_ssl_certificate' is undefined"}

[R3DRUN3]

Any news on this?