Guidance on awx-cli authentication with azure sso

elfrinjo · November 21, 2023, 1:41pm

Hi, I have connected my AWX installation (version 23.4.0) to Azure AD single-sign-on. So far, this works perfectly in the browser.

Now, I would like to authenticate to awx-cli with my azure credentials… and I am failing badly.

What I did so far:

Added an additional client scope for azure-cli to the awx enterprise app in azure ✓
Login to the tenant with azure cli and the newly created scope with az login --scope api://$MYAPI/SCOPE --allow-no-subscriptions --tenant $MYTENANTID ✓
Request a token from azure ad with az account get-access-token --scope api://$MYAPI/SCOPE --tenant $MYTENANTID ✓
try to use awx --conf.host https://$MYAWXHOST --conf.token $Token hosts list
The last step fails with “Valid credentials were not provided.”

Can anyone provide me with

feedback wether this is the right process at all?
resources with more guidance on this configuration?

Kind regards, Jörg

jmack · November 22, 2023, 7:58pm

Hello @elfrinjo,

You’re on the right track. The way that AWX handles external authentication is that the Django auth_user entry doesn’t get created until you long in via the UI. So all authentication methods will require a one time UI login. After you long in via the UI and the entry is created you should be able to log in via the CLI. This could be considered a bug and if you’d like to work on closing this gap we would welcome PRs.