How to pass(use) google SA json in AWX to run anisble playbook which creates/updates/modify the VM in gcp?

Question

I have an ansible-playbook, which will connect to GCP using SA and its JSON file.

I have downloaded the JSONn file in my local and provided the path value to "credentials_file". this works if I run the playbook from my local machine.

Now, I want to run this playbook using awx and below are the steps I have done.

1. Created a Credential. a. Credential Type: Google Compute Engine b. name: ansible-gcp-secret c. under type details, I have uploaded the SAJSONn file and it loaded the rest of the data such as SA email, project and RSA key.
2. Created project and synched my git repo, which has my playbook.
3. Created a template to run my playbook. Now, I am not sure how to use the GCP SA credentials in AWX to run my playbook. Any help or documentation would greatly help.

Below is example of my playbook.

- name: Update Machine Type of GCE Instance
  hosts: localhost
  gather_facts: no
  connection: local

  vars:
    instance_name: ansible-test
    machine_type: e2-medium 
    image: Debian GNU/Linux 11 (bullseye)
    zone: us-central1-a
    service_account_email: myuser@project-stg-xxxxx.iam.gserviceaccount.com
    credentials_file: /Users/myuser/ansible/hackthonproject-stg-xxxxx-67d90cb0819c.json
    project_id: project-stg-xxxxx

  tasks:
  - name: Stop(Terminate) a instance
    gcp_compute_instance:
      name: "{{instance_name}}"
      project: "{{ project_id }}"
      zone: "{{zone}}"
      auth_kind: serviceaccount
      service_account_file: "{{ credentials_file }}"
      status: TERMINATED

Answer 1

Below are the steps we did.

1. Created credential type in AWX to pull the secrets from the vault. Let's say secret_type. This will give out of env key "vaultkv_secret".

2. Created a secret to connect to the vault using a token with type=HC Vault secret lookup, name=vault_token

3. Create a another secret to pull the secret(kv type) from vault with type=custom_vault_puller (this used the first secret create "vault_toke"). Let say name=secret_for_template

4. Create kv secret in the vault and provide the key and JSON content as value.

5. Create a template and used the secret "secret_for_template". and provide the secret path and key.

   Now, when the template is run, the env var "vaultkv_secret" will have the content of the JSON file. and we can save those content as file and use it as file input to GCP commands.