awx.awx.tower_credential – create, update, or destroy Ansible Tower credential.

Note

This plugin is part of the awx.awx collection (version 17.0.1).

To install it use: ansible-galaxy collection install awx.awx.

To use it in a playbook, specify: awx.awx.tower_credential.

Synopsis
Parameters
Notes
Examples

Synopsis

Create, update, or destroy Ansible Tower credentials. See https://www.ansible.com/tower for an overview.

Parameters

Parameter	Choices/Defaults	Comments
authorize boolean	no ← yes	Should use authorize for net type. Deprecated, please use inputs
authorize_password string		Password for net credentials that require authorize. Deprecated, please use inputs
become_method string		Become method to use for privilege escalation. Some examples are "None", "sudo", "su", "pbrun" Due to become plugins, these can be arbitrary Deprecated, please use inputs
become_password string		Become password. Use "ASK" and launch in Tower to be prompted. Deprecated, please use inputs
become_username string		Become username. Use "ASK" and launch in Tower to be prompted. Deprecated, please use inputs
client string		Client or application ID for azure_rm type. Deprecated, please use inputs
credential_type string		Name of credential type. Will be preferred over kind
description string		The description to use for the credential.
domain string		Domain for openstack type. Deprecated, please use inputs
host string		Host for this credential. Deprecated, will be removed in a future release
inputs dictionary		Credential inputs where the keys are var names used in templating. Refer to the Ansible Tower documentation for example syntax. Any fields in this dict will take prescedence over any fields mentioned below (i.e. host, username, etc)
kind string	aws tower gce azure_rm openstack satellite6 rhv vmware aim conjur hashivault_kv hashivault_ssh azure_kv insights kubernetes_bearer_token net scm ssh github_token gitlab_token vault	Type of credential being added. The ssh choice refers to a Tower Machine credential. Deprecated, please use credential_type
name string / required		The name to use for the credential.
new_name string		Setting this option will change the existing name (looked up via the name field.
organization string		Organization that should own the credential.
password string		Password for this credential. ``secret_key`` for AWS. ``api_key`` for RAX. Use "ASK" and launch in Tower to be prompted. Deprecated, please use inputs
project string		Project that should use this credential for GCP. Deprecated, will be removed in a future release
secret string		Secret token for azure_rm type. Deprecated, please use inputs
security_token string		STS token for aws type. Deprecated, please use inputs
ssh_key_data string		SSH private key content. To extract the content from a file path, use the lookup function (see examples). Deprecated, please use inputs
ssh_key_unlock string		Unlock password for ssh_key. Use "ASK" and launch in Tower to be prompted. Deprecated, please use inputs
state string	present ← absent	Desired state of the resource.
subscription string		Subscription ID for azure_rm type. Deprecated, please use inputs
team string		Team that should own this credential.
tenant string		Tenant ID for azure_rm type. Deprecated, please use inputs
tower_config_file path		Path to the Tower or AWX config file. If provided, the other locations for config files will not be considered.
tower_host string		URL to your Tower or AWX instance. If value not set, will try environment variable `TOWER_HOST` and then config files If value not specified by any means, the value of `127.0.0.1` will be used
tower_oauthtoken raw added in 3.7 of awx.awx		The Tower OAuth token to use. This value can be in one of two formats. A string which is the token itself. (i.e. bqV5txm97wqJqtkxlMkhQz0pKhRMMX) A dictionary structure as returned by the tower_token module. If value not set, will try environment variable `TOWER_OAUTH_TOKEN` and then config files
tower_password string		Password for your Tower or AWX instance. If value not set, will try environment variable `TOWER_PASSWORD` and then config files
tower_username string		Username for your Tower or AWX instance. If value not set, will try environment variable `TOWER_USERNAME` and then config files
update_secrets boolean	no yes ←	`true` will always update encrypted values. `false` will only updated encrypted values if a change is absolutely known to be needed.
user string		User that should own this credential.
username string		Username for this credential. ``access_key`` for AWS. Deprecated, please use inputs
validate_certs boolean	no yes	Whether to allow insecure connections to Tower or AWX. If `no`, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates. If value not set, will try environment variable `TOWER_VERIFY_SSL` and then config files aliases: tower_verify_ssl
vault_id string		Vault identifier. This parameter is only valid if `kind` is specified as `vault`. Deprecated, please use inputs
vault_password string		Vault password. Use "ASK" and launch in Tower to be prompted. Deprecated, please use inputs

Notes

Note

Values inputs and the other deprecated fields (such as tenant) are replacements of existing values. See the last 4 examples for details.
If no config_file is provided we will attempt to use the tower-cli library defaults to find your Tower host information.
config_file should contain Tower configuration in the following format host=hostname username=username password=password

Examples

- name: Add tower machine credential
  tower_credential:
    name: Team Name
    description: Team Description
    organization: test-org
    credential_type: Machine
    state: present
    tower_config_file: "~/tower_cli.cfg"

- name: Create a valid SCM credential from a private_key file
  tower_credential:
    name: SCM Credential
    organization: Default
    state: present
    credential_type: Source Control
    inputs:
      username: joe
      password: secret
      ssh_key_data: "{{ lookup('file', '/tmp/id_rsa') }}"
      ssh_key_unlock: "passphrase"

- name: Fetch private key
  slurp:
    src: '$HOME/.ssh/aws-private.pem'
  register: aws_ssh_key

- name: Add Credential Into Tower
  tower_credential:
    name: Workshop Credential
    credential_type: Machine
    organization: Default
    inputs:
      ssh_key_data: "{{ aws_ssh_key['content'] | b64decode }}"
  run_once: true
  delegate_to: localhost

- name: Add Credential with Custom Credential Type
  tower_credential:
    name: Workshop Credential
    credential_type: MyCloudCredential
    organization: Default
    tower_username: admin
    tower_password: ansible
    tower_host: https://localhost

- name: Create a Vaiult credential (example for notes)
  tower_credential:
    name: Example password
    credential_type: Vault
    organization: Default
    inputs:
      vault_password: 'hello'
      vault_id: 'My ID'

- name: Bad password update (will replace vault_id)
  tower_credential:
    name: Example password
    credential_type: Vault
    organization: Default
    inputs:
      vault_password: 'new_password'

- name: Another bad password update (will replace vault_id)
  tower_credential:
    name: Example password
    credential_type: Vault
    organization: Default
    vault_password: 'new_password'

- name: A safe way to update a password and keep vault_id
  tower_credential:
    name: Example password
    credential_type: Vault
    organization: Default
    inputs:
      vault_password: 'new_password'
      vault_id: 'My ID'

Authors

Wayne Witzel III (@wwitzel3)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/awx/awx/tower_credential_module.html