Guidance on awx-cli authentication with azure sso

Hi, I have connected my AWX installation (version 23.4.0) to Azure AD single-sign-on. So far, this works perfectly in the browser.

Now, I would like to authenticate to awx-cli with my azure credentials… and I am failing badly.

What I did so far:

  • Added an additional client scope for azure-cli to the awx enterprise app in azure ✓
  • Login to the tenant with azure cli and the newly created scope with az login --scope api://$MYAPI/SCOPE --allow-no-subscriptions --tenant $MYTENANTID
  • Request a token from azure ad with az account get-access-token --scope api://$MYAPI/SCOPE --tenant $MYTENANTID
  • try to use awx https://$MYAWXHOST --conf.token $Token hosts list :x:
    The last step fails with “Valid credentials were not provided.”

Can anyone provide me with

  • feedback wether this is the right process at all?
  • resources with more guidance on this configuration?

Kind regards, Jörg

Hello @elfrinjo,

You’re on the right track. The way that AWX handles external authentication is that the Django auth_user entry doesn’t get created until you long in via the UI. So all authentication methods will require a one time UI login. After you long in via the UI and the entry is created you should be able to log in via the CLI. This could be considered a bug and if you’d like to work on closing this gap we would welcome PRs.