Documentation

Authentication

Generating a Personal Access Token

The preferred mechanism for authenticating with AWX and Red Hat Ansible Automation Platform controller is by generating and storing an OAuth2.0 token. Tokens can be scoped for read/write permissions, are easily revoked, and are more suited to third party tooling integration than session-based authentication.

awx provides a simple login command for generating a personal access token from your username and password.

CONTROLLER_HOST=https://awx.example.org \
    CONTROLLER_USERNAME=alice \
    CONTROLLER_PASSWORD=secret \
    awx login

As a convenience, the awx login -f human command prints a shell-formatted token value:

export CONTROLLER_OAUTH_TOKEN=6E5SXhld7AMOhpRveZsLJQsfs9VS8U

By ingesting this token, you can run subsequent CLI commands without having to specify your username and password each time:

export CONTROLLER_HOST=https://awx.example.org
$(CONTROLLER_USERNAME=alice CONTROLLER_PASSWORD=secret awx login -f human)
awx config

Working with OAuth2.0 Applications

AWX and Red Hat Ansible Automation Platform controller allow you to configure OAuth2.0 applications scoped to specific organizations. To generate an application token (instead of a personal access token), specify the Client ID and Client Secret generated when the application was created.

CONTROLLER_USERNAME=alice CONTROLLER_PASSWORD=secret awx login \
    --conf.client_id <value> --conf.client_secret <value>

OAuth2.0 Token Scoping

By default, tokens created with awx login are write-scoped. To generate a read-only token, specify --scope read:

CONTROLLER_USERNAME=alice CONTROLLER_PASSWORD=secret \
    awx login --conf.scope read

Session Authentication

If you do not want or need to generate a long-lived token, awx allows you to specify your username and password on every invocation:

CONTROLLER_USERNAME=alice CONTROLLER_PASSWORD=secret awx jobs list
awx --conf.username alice --conf.password secret jobs list