Search code examples
linuxbashcurlrundeck

Rundeck trigger job via api without exposing script

Is there a way to permit a user to trigger a rundeck job via API without exposing the script? This seems to be the default in the HTTP reply I get from rundeck.

Example:

curl -X "POST" -H "Accept: application/json" -H "Content-Type: application/json" -H 'X-Rundeck-Auth-Token: MYSECRET' https://RUNDECKSERVER.COM/api/43/job/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/run | jq

The reply I get from rundeck:

{
  "id": 64149,
  "href": "https://RUNDECKSERVER.COM/api/43/execution/64149",
  "permalink": "https://RUNDECKSERVER.COM/project/test-project/execution/show/64149",
  "status": "running",
  "project": "test-project",
  "executionType": "user",
  "user": "test_user",
  "date-started": {
    "unixtime": 1677504479271,
    "date": "2023-02-27T13:27:59Z"
  },
  "job": {
    "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "averageDuration": 2487,
    "name": "Test job",
    "group": "",
    "project": "test-project",
    "description": "test",
    "href": "https://RUNDECKSERVER.COM/api/43/job/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "permalink": "https://RUNDECKSERVER.COM/project/test-project/job/show/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
  },
  "description": "#!/bin/bash\r\n\r\necho \"this is just\"\r\necho \"a test\"",
  "argstring": null,
  "serverUUID": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

The script behind the job is put in the description field by rundeck (for some reason).

"description": "#!/bin/bash\r\n\r\necho \"this is just\"\r\necho \"a test\""

I there a way how I can disable this behavior? Especially with larger scripts it makes it look very unprofessional. Also for security reasons I would like to keep it secret.

curl -X "POST" -H "Accept: application/json" -H "Content-Type: application/json" -H 'X-Rundeck-Auth-Token: MYSECRET' https://RUNDECKSERVER.COM/api/43/job/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/run | jq
Solution

  • The best way to call jobs from your applications is to use webhooks.

    Rundeck webhooks allows you to call jobs via POST calls without exposing that amount of information.

    1. Create a job and save it.
    2. Click on the Webhook page (left menu).
    3. Click on the "Create new webhook" blue button (bottom).
    4. Give it a name and click on the "handler configuration" tab.
    5. Click on the "Choose webhook plugin" menu and then, select "Run job".
    6. Select the job created in the first step, and save the webhook by clicking on the "Save" green button (up).
    7. Copy the webhook URL generated.

    Now, to call your job via webhooks just send a POST call to the webhook URL (step 7).

    curl -X POST http://localhost:4440/api/43/webhook/x4D4Rwh0xN1juNxw388RdyV3ri3cJIbS#MyWebhook

    Rundeck server answer:

    {"jobId":"c98ba2b4-f2a1-4627-b7d0-2574b13c05d7","executionId":"1"}