Hi,
I'm trying to figure out how does token system work in AWX.
Thus far I was able to follow the flow:
1. login with user/password
2. grab token
3. use token subsequently for future operations
However I can't find a way to bypass step 1 and use
client_id/client_secret instead to be used with applications interacting
with AWX. Any pointers to sample code or more detailed docs? ( I've gone
over the
https://docs.ansible.com/ansible-tower/latest/html/administration/oauth2_token_auth.html
multiple times)
Hey Dmitry,
Since you’re working with Python already, try out pip install ansible_tower_cli. It has a CLI-based and programmatic API for interacting with AWX and Tower installs, including support for obtaining and using an OAuth2 Personal Access Token.
from collections import namedtuple
from requests.auth import HTTPBasicAuth
from tower_cli.api import client
from tower_cli.conf import settings
settings.host = ‘https://example.awx.org’
def login(username, password):
req = namedtuple(‘req’, ‘headers’)({})
HTTPBasicAuth(username, password)(req)
settings.oauth_token = client.post(
‘/users/{}/personal_tokens/’.format(username),
data={“application”: None, “scope”: “write”},
headers=req.headers
).json()[‘token’] # this step will cause the OAuth2 Token to be used for all subsequent requests using tower_cli.api.client
login(‘username’, ‘password’)
print(client.request(‘GET’, ‘/api/v2/ping/’).json())
https://github.com/ansible/tower-cli
Hey Dmitry,
Since you're working with Python already, try out `pip install
ansible_tower_cli`. It has a CLI-based and programmatic API for
interacting with AWX and Tower installs, including support for obtaining
and using an OAuth2 Personal Access Token.
Thanks for quick response and sample code Ryan, however I already am
able to obtain *personal* tokens, I'm looking for a good example for
using application tokens utilizing things like client_id and
client_secret. Is it expected that "special" user be created in Tower
whenever one needs applications accessing API in Tower?
I'm basing my assumptions on experience with other products offering
token-based auth where "service" token is not associated with any real
user, ans is being granted it's own set of privileges.
Your sample code discards application-based tokens ("application": None)
is there a better sample of using non-personal tokens?
Hi Dmitry,
Have you worked it out? I’m having the same issue.
I saw in Tower GitHub a question like yours. The answer was that RBAC doesn’t allow user independent tokens.
But the documentation states that an application could get a token on behalf of users. I thought there was an way to do it without user/password.
“You can only use the authorization code type to acquire an access token when using an application. When integrating an external webapp with Ansible Tower, that webapp may need to create OAuth2 Tokens on behalf of users in that other webapp. Creating an application in Tower with the authorization code grant type is the preferred way to do this because…” https://docs.ansible.com/ansible-tower/latest/html/administration/oauth2_token_auth.html#ag-use-oauth-pat
OAUTH2 is frequently used to “bypass” authentication in apps so you don’t need to share your password with others, i.e. I log in Spotify with my Facebook account so I don’t have a password in Spotify and they have a limited view of my informations on Facebook.
Well if I need to pass a password to the app, so the application token (authorization code method) is useless in AWX. It would be the same as PAT, just with a tag linking it to an application. I would expect that at least I could limit what an application can access, but I can’t. I can only limit how a token access all the resources the user access, with write or reading privileges.