Integration of the community.general.proxmox inventory dynamic source into AAP2.5+
-
Add a PVE/LDAP/etc. User.
-
Add Permission for your tree (For the whole cluster add to "/").
-
For the inventory-sync "PVEAuditor" is sufficient (read-only).
-
If you want to use this user for automation tasks (Create, edit, etc VMs) you need higher permissions. You can seperate those from your API Token by using "Privilege Separation" on your API token
-
Add an API Token for that User. Ensure "Privilege Separation" is enabled, if you want to use this user for anything else.
-
Click on Permissions.
-
Add Permission for your tree (For the whole cluster add to "/").
-
For the inventory "PVEAuditor" is sufficient (read-only).
You can add another API token with higher permissions and encrypt that token for automation tasks.
Please note: The API Token permissions can not be higher than those of the user the token applies to.
Confgure inventory yaml like so:
plugin: community.general.proxmox
url: https://proxmox.example.com
user: user@realm
token_id: idofyourtoken
token_secret: secret-of-your-token
validate_certs: true
want_facts: true
want_proxmox_nodes_ansible_host: false
exclude_nodes: true
- If in git, add git to Projects
- Add Project as source to your inventory
- Sync Source
Sadly AAP2 doesn't allow using a vault secret to decrypt values in this inventory source. Therefore I created a Read-Only Api token in this case. You should always use least privilege anyway, so this is great.
However having a clear-text credential on git isn't great. I haven't found any workaround yet.
For your automation tasks, you can of course vault your API Access tokens accordingly, for anything that requires elevated rights.