Ansible AWX - OAuth2 Tokens

Note. The following steps require admin level permissions.

Creating a new OAuth2 access token

Login to the AWX container.

Then run the following command.

awx-manage create_oauth2_token --user ${userid}

This command will generate a new token for a specified user.

Via the API

The API accessible via http://<awx_server>/api/ can be also used to create an OAuth2 access token.

curl -H "Authorization: Bearer <existing oauth2 access token>"\
     -H http://<awx_server>/api/<version>/tokens/ \
     -H "Content-Type: Application/json" -d @payload.json

payload.json content:

{
    "description": "",
    "application": null,
    "scope": "write"
}

Via the UI

  • Login to AWX with admin permissions
  • Navigate to Users
  • Select the username you wish to create a token for
  • Click on tokens, then the green plus icon
  • Application can be left empty, input a description and select a scope <r/w>

Revoking tokens

awx-manage revoke_oauth2_tokens --user ${userid}

This command will revoke tokens assigned to a specified user.

OAuth2 Applications

If you are planning to create a client to connect to the AWS RESTful API, you will need to either first create an OAuth2 application or use an OAuth2 Token.

Each OAuth2 application is represented as a OAuth2 client on the AWX server.

One of the ways of creating an OAuth2 application is by invoking a HTTP POST to the following:

/api/v2/users/${userid}/applications

OR

api/v2/application

The payload sent should conform to the following JSON.

{
    "name": "client1",
    "description": "a test client",
    "client_type": "confidential",
    "redirect_uris": "",
    "authorization_grant_type": "password",
    "skip_authorization": false,
    "organization": 1
}

This will generate the following response.

 Note

Of significance are the OAuth2 relevant fields:

  • client_id
  • client_secret
{
    "id": 1,
    "type": "o_auth2_application",
    "url": "/api/v2/applications/1/",
    "related": {
        "named_url": "/api/v2/applications/client1++Default/",
        "tokens": "/api/v2/applications/1/tokens/",
        "activity_stream": "/api/v2/applications/1/activity_stream/"
    },
    "summary_fields": {
        "organization": {
            "id": 1,
            "name": "Default",
            "description": ""
        },
        "user_capabilities": {
            "edit": true,
            "delete": true
        },
        "tokens": {
            "count": 0,
            "results": []
        }
    },
    "created": "2020-03-02T10:04:40.303832Z",
    "modified": "2020-03-02T10:04:40.303929Z",
    "name": "client1",
    "description": "a test client",
    "client_id": "zzzzzzzzzzzzzzzzzzzzzzzz",
    "client_secret": "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz",
    "client_type": "confidential",
    "redirect_uris": "",
    "authorization_grant_type": "password",
    "skip_authorization": false,
    "organization": 1
}

 Note

The "tokens" field which will be used in the later section.

Application access rules

Access rules for applications are as follows:

  • System administrators can view and manipulate all applications in the system
  • Organization administrators can view and manipulate all applications belonging to Organization members
  • Other users can only view, update, and delete their own applications, but cannot create any new applications

Tokens, on the other hand, are resources used to actually authenticate incoming requests and mask the permissions of the underlying user.

There are two ways to create a token:

  1. POST to the /api/v2/tokens/ endpoint with application and scope fields to point to the related application and specify token scope
  2. POST to the /api/v2/applications/<pk>/tokens/ endpoint with the scope field (the parent application will be automatically linked)

https://docs.ansible.com/ansible-tower/latest/html/administration/oauth2_token_auth.html#ag-use-oauth-pat

I have used option 2 and invoked a HTTP POST to endpoint /api/v2/applications/1/tokens/ (this was taken from the earlier response when creating an OAuth2 application).

This will return the following response.

{
    "id": 3,
    "type": "o_auth2_access_token",
    "url": "/api/v2/tokens/3/",
    "related": {
        "user": "/api/v2/users/1/",
        "application": "/api/v2/applications/1/",
        "activity_stream": "/api/v2/tokens/3/activity_stream/"
    },
    "summary_fields": {
        "user": {
            "id": 1,
            "username": "admin",
            "first_name": "",
            "last_name": ""
        },
        "application": {
            "id": 1,
            "name": "client1"
        }
    },
    "created": "2020-03-02T10:20:59.448195Z",
    "modified": "2020-03-02T10:21:00.563793Z",
    "description": "",
    "user": 1,
    "token": "123",
    "refresh_token": "teree",
    "application": 1,
    "expires": "3019-07-04T10:20:59.380688Z",
    "scope": "write"
}

Personal Access Tokens

An easier way to request an OAuth2 token.

Invoke a HTTP POST to endpoint: /api/v2/users/<userid>/personal_tokens/

The payload should use the following format:

{
    "description":"Personal Tower CLI token", 
    "application":null, 
    "scope":"write"
}

OAuth2 Token expiry settings

Expiry settings for OAuth2 token’s can be modified via the UI.

  • Login to AWX as an admin user
  • Click on Settings > System

Refresh Token Expiration

The duration (in seconds) refresh tokens remain valid after the expiration of their associated access token.

Access Token Expiration

The duration (in seconds) access tokens remain valid since their creation.

Last updated on 2 Mar 2020
Published on 2 Mar 2020