Hello
I’m using awx collection to manage our AWX platform.
I have an issue when an organisation admin wants to create a user with tower_user.
He received this error “You don’t have permission to POST to /api/v2/users/ (HTTP 403).” as he can’t specify the organisation. The API call is not done to the organisation level.
Is there a workaround for organisation admin to create user using awx collection ?
Regards
Mickael
Hi Mickael
Are you trying to create a user in another organisation that the admin user is not part of? That is not allowed, as it’s considered a security loophole (that’s why you can’t specify an org)
Phil.
Hi
Here a simple tasks of what I am trying to do :
- name: AWX configuration
hosts: localhost
environment:
TOWER_USERNAME: test
TOWER_PASSWORD: testtest
TOWER_HOST: https://XXXXXXXXX/
TOWER_VERIFY_SSL: “false”
collections:
- awx.awx
- community.general
tasks:
- name: Add tower user
tower_user:
username: jdoe
password: foobarbaz
email: jdoe@example.org
first_name: John
last_name: Doe
state: present
I received this error :
TASK [Add tower user] ******************************************************************************************************************************
fatal: [localhost]: FAILED! => {“changed”: false, “msg”: “You don’t have permission to POST to /api/v2/users/ (HTTP 403).”}
The user test is not system administrator but he is organisation admin of a test organisation.
The module tower_user doesn’t got any organisation parameter. It does an API call to /api/v2/users/ , this API create a user not member to any organisation.
I would like our organisation admin to use awx.tower_user instead of the GUI but it seems not possible.
Any idea ?
Regards
Mickael
I can’t get environment to behave properly, this maybe a bug or design omission for the module.
Use a config file as per the module documentation and it’ll work.
Yes, it works as the admin user:
TASK [Add tower user] ******************************************************************************************************************************
changed: [localhost]
So I’m assuming the org admin role doesn’t have permissions to hit the API endpoint, only admin.