Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-2107

Request to use service accounts client ID/secret on `ansible.controller.subscriptions` module

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 2.5
    • content
    • False
    • Hide

      None

      Show
      None
    • False

      • What is the nature and description of the request?

      Customer encountering an issue with the `ansible.controller.subscriptions` module when attempting to use a Red Hat service account. Specifically, the module currently only supports authentication using a regular username and password. However, they would like to leverage a service account (client ID/secret) for this task to align with our organization's security policies and automation workflows.

      Officially it is suggested to use Red Hat or Red Hat Satellite username to get available subscriptions or you upload use subscription manifest file on AAP:
      https://console.redhat.com/ansible/automation-hub/repo/published/ansible/controller/content/module/subscriptions/

      Below is the relevant portion of Ansible task :

      ```

      • name: Gather license info
        ansible.controller.subscriptions:
        username: "{{ lookup('ansible.builtin.env', 'LICENSE_USER') }}"
        password: "{{ lookup('ansible.builtin.env', 'LICENSE_PASSWORD') }}"
        controller_oauthtoken: "{{ aap_oauthtoken }}"
        controller_host: "https://{{ platform }}.apps.{{ cluster }}"
        validate_certs: false
        register: subscriptions
        ```

      When using a client ID/secret created for a Red Hat service account as the `username` and `password`, the task fails. However, it works correctly when using a normal Red Hat user account.

      • Why does the customer need this? (List the business requirements here)

      Customer request that Red Hat add support for using service accounts (client ID/secret) in the `ansible.controller.subscriptions` module. This feature would enable us to:

      1. Enhance security by avoiding the use of personal user accounts for automation tasks.
      2. Align with best practices for service account usage in automated workflows.
      3. Simplify credential management for Ansible tasks.

      *Steps to Reproduce:*

      1. Create a service account in Red Hat with a client ID/secret.
      2. Attempt to use the service account credentials in the `ansible.controller.subscriptions` module as shown above.
      3. Observe that the task fails, while it works with a normal user account.

      *Expected Behavior:*

      The `ansible.controller.subscriptions` module should support authentication using service account credentials (client ID/secret) in addition to regular username/password authentication.

      *Additional Context:*

      This feature would be particularly useful for organizations that rely heavily on automation and need to adhere to strict security policies.

      ~~~

      • name: Gather license info
        ansible.controller.subscriptions:
        username: "{{ lookup('ansible.builtin.env', 'LICENSE_USER') }}"
        password: "{{ lookup('ansible.builtin.env', 'LICENSE_PASSWORD') }}"
        controller_oauthtoken: "{{ aap_oauthtoken }}"
        controller_host: "https://{{ platform }}.apps.{{ cluster }}"
        validate_certs: false
        register: subscriptions
        ~~~

              rh-ee-rreed Ron Reed
              rhn-support-sdale Snehal Dale
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: