The preferred mechanism for authenticating with AWX and Red Hat Ansible Tower is by generating and storing an OAuth2.0 token. Tokens can be scoped for read/write permissions, are easily revoked, and are more suited to third party tooling integration than session-based authentication.
awx provides a simple login command for generating a personal access token from your username and password.
TOWER_HOST=https://awx.example.org \
TOWER_USERNAME=alice \
TOWER_PASSWORD=secret \
awx login
As a convenience, the awx login -f human command prints a shell-formatted token
value:
export TOWER_OAUTH_TOKEN=6E5SXhld7AMOhpRveZsLJQsfs9VS8U
By ingesting this token, you can run subsequent CLI commands without having to specify your username and password each time:
export TOWER_HOST=https://awx.example.org
$(TOWER_USERNAME=alice TOWER_PASSWORD=secret awx login -f human)
awx config
AWX and Red Hat Ansible Tower allow you to configure OAuth2.0 applications scoped to specific organizations. To generate an application token (instead of a personal access token), specify the Client ID and Client Secret generated when the application was created.
TOWER_USERNAME=alice TOWER_PASSWORD=secret awx login \
--conf.client_id <value> --conf.client_secret <value>
By default, tokens created with awx login are write-scoped. To generate
a read-only token, specify --scope read:
TOWER_USERNAME=alice TOWER_PASSWORD=secret \
awx login --conf.scope read
If you do not want or need to generate a long-lived token, awx allows you to specify your username and password on every invocation:
TOWER_USERNAME=alice TOWER_PASSWORD=secret awx jobs list
awx --conf.username alice --conf.password secret jobs list