When running infra.aap_configuration.hub_collection_remote I am getting an error
Playbook task output:
msg: 'Authentication error: Invalid authentication credentials for /api/galaxy/_ui/v1/me/
(HTTP 401).'
aap_token is configured with a token from the admin user.
aap_hostname is configured with the gateway url
other roles from infra.aap_configuration (controller settings, inventories, etc.) authenticate just fine against the same Automation Gateway. I am using ansible automation platform 2.5 on openshift.
Installed collections:
Collection Version
----------------------- ------------
ansible.controller 4.6.13
ansible.eda 2.8.0
ansible.hub 1.0.0
ansible.platform 2.5.20250528
awx.awx 24.6.1
cloud.common 4.2.0
community.general 10.7.0
infra.aap_configuration 3.4.1
kubernetes.core 6.0.0
Variables for the role
---
hub_collection_remotes:
- name: test
url: https://console.redhat.com/api/automation-hub/content/published/
auth_url: https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
token: "{{ rh_token }}"
tls_validation: false
requirements:
- name: ansible.platform
My playbook:
---
- name: Infra Dispatch role
hosts: localhost
connection: local
gather_facts: false
vars_files:
- ../vaults/vault-{{ stage }}
roles:
- name: infra.aap_configuration.dispatch
1 Like
I have run into essentially the same problem on OpenShift with AAP 2.6. Using the same admin user and token from CLI works just fine, but the same play as a job template to have AAP bootstrap itself fails to authenticate with the very same credential/authentication method.
My only difference is the uri path in the error message:
msg: "error: Error while getting server version: Invalid authentication credentials for /api/galaxy/ (HTTP 401)."
Edit: And just to confirm, authentication works on gateway_* and controller_* infra.aap_configuration.dispatch roles/tasks. I don’t have any EDA configuration as code to test, so I can’t confirm whether or not EDA has any similar authentication issue.
Seems to be that the issue is that the infra.aap_configuration.hub* roles aren’t passing the aap_token to the ah_token parameter, but then that might be specifically for hub tokens rather than platform tokens (even though all of the other ah_* options work with their aap_* alias). If the latter is the case, then the issue is with ansible.hub upstream.
In anycase, I was able to work around this by providing the username and password in the Red Hat Automation Platform credential type (but not an oauth token!), and use the following snippet to generate and set an aap_token variable. This ensured that the AAP_OAUTH_TOKEN environment variable was empty and unused by automation hub. This also removes the generated token automatically, since these will expire on their own eventually. (I think there’s a method for refreshing tokens instead of deleting/recreating them, but I don’t have a working sample for that)
- name: Token checkout
block:
- name: Retrieve OAUTH Token
ansible.platform.token:
dispatch') }}"
description: "Token for AAP CaC dispatch"
scope: "write"
state: present
aap_hostname: "{{ aap_hostname }}"
aap_username: "{{ aap_username }}"
aap_password: "{{ aap_password }}"
aap_validate_certs: "{{ aap_validate_certs }}"
register: __alsac_aap__token
when:
- aap_hostname | length > 0
- aap_username | length > 0
- aap_password | length > 0
- aap_token | length == 0
check_mode: false
- name: Set aap_token
ansible.builtin.set_fact:
aap_token: "{{ __alsac_aap__token.ansible_facts.aap_token.token }}"
aap_token_id: "{{ __alsac_aap__token.ansible_facts.aap_token.id }}"
cacheable: false
when:
- aap_token | length == 0
- __alsac_aap__token.ansible_facts.aap_token.token is defined
- __alsac_aap__token.ansible_facts.aap_token.id is defined
check_mode: false
- name: Include infra.aap_configuration.dispatch role
ansible.builtin.include_role:
name: infra.aap_configuration.dispatch
always:
- name: Remove OAUTH Token
ansible.platform.token:
existing_token_id: "{{ aap_token_id }}"
state: absent
aap_hostname: "{{ aap_hostname }}"
aap_validate_certs: "{{ aap_validate_certs }}"
aap_token: "{{ aap_token }}"
register: __alsac_aap__token
when: aap_token_id is defined
check_mode: false