Generating a Personal Access Token

The preferred mechanism for authenticating with AWX and Red Hat Ansible Tower is by generating and storing an OAuth2.0 token. Tokens can be scoped for read/write permissions, are easily revoked, and are more suited to third party tooling integration than session-based authentication.

awx provides a simple login command for generating a personal access token from your username and password.

    TOWER_USERNAME=alice \
    TOWER_PASSWORD=secret \
    awx login

As a convenience, the awx login -f human command prints a shell-formatted token value:


By ingesting this token, you can run subsequent CLI commands without having to specify your username and password each time:

export TOWER_HOST=
$(TOWER_USERNAME=alice TOWER_PASSWORD=secret awx login -f human)
awx config

Working with OAuth2.0 Applications

AWX and Red Hat Ansible Tower allow you to configure OAuth2.0 applications scoped to specific organizations. To generate an application token (instead of a personal access token), specify the Client ID and Client Secret generated when the application was created.

TOWER_USERNAME=alice TOWER_PASSWORD=secret awx login \
    --conf.client_id <value> --conf.client_secret <value>

OAuth2.0 Token Scoping

By default, tokens created with awx login are write-scoped. To generate a read-only token, specify --scope read:

    awx login --conf.scope read

Session Authentication

If you do not want or need to generate a long-lived token, awx allows you to specify your username and password on every invocation:

TOWER_USERNAME=alice TOWER_PASSWORD=secret awx jobs list
awx --conf.username alice --conf.password secret jobs list