We have an AWX platform (v23.9.0.60) hosted on an AKS cluster and deployed via a Helm chart. The admin password is stored in a Kubernetes secret (*awx-admin-password ). We would like to change the admin user’s password. Is updating the secret sufficient, or are any additional backend changes required?
Updating the Kubernetes secret alone will not change the AWX admin password. The secret is only read during the initial AWX deployment to set the password at first startup. After that, AWX stores the password as a hash in its own PostgreSQL database and does not watch the Kubernetes secret for changes.
To rotate the admin password in a running AWX instance on Kubernetes, the correct approach is to use the AWX management command directly in the task pod:
kubectl exec -it deployment/awx -n – awx-manage changepassword admin
This will prompt you for a new password and update it in the AWX database immediately.
If you want to integrate this with Azure Key Vault for automated rotation, the typical pattern is:
- Store the new password value in Key Vault
- Use an Azure Key Vault-triggered automation (Logic App, Function, or a pipeline step) to run the kubectl exec command above, pulling the new password value from Key Vault
- Optionally update the Kubernetes secret to keep it in sync, though AWX itself does not use it after bootstrap
The Kubernetes secret update is useful if you want a fresh AWX deployment to start with the correct password, but for rotating an existing running instance the management command is the only supported method.
If you are on a newer AWX Operator version (2.x+), you can also configure the awx-admin-password-secret reference in the AWX custom resource and trigger a reconcile, but this only takes effect if the operator is configured to re-apply credentials on reconciliation, which depends on your operator version.
Hi @RianKellyIT,
The AWX Operator version is 2.12.2. Could you elaborate on automatic reconcile of the AWX admin secret.
Thanks in advance.
You can reset the AWX admin password through the API, so make a playbook that:
- Creates a new password in Keyvault
- Update password through the API
- Delete old admin password from Keyvault if reset was succesful
API call:
PATCH https://[hostname]/api/v2/users/[id]/
with body:
{ "password": "newpassword" }
See 12. AWX API Reference Guide — Ansible AWX community documentation for the API endpoint
The ID could be found with a call to https://[hostname]/api/v2/users/?username=admin.
Hi @ildjarn,
I agree, the script should work. However, my concern is that we are using Kubernetes Key Vault to store the password. Can we automate that process—perhaps by using Azure Modules?
Could you elaborate on the difference between the kubectl method mentioned above and the script-based method?
You can use azure.azcollection.azure_rm_keyvaultsecret module – Use Azure KeyVault Secrets — Ansible Community Documentation for the keyvault part