CI=Host in the following

1.  What is the nature and description of the request?

Currently, credentials are picked at the template level and all targets use the credential provided. Customer would like a new credential option in the template, that when selected, a defined authentication fact associated to each inventory CI will provide the name of the AAP credential to be used for that CI.  As the playbook is processed, and authentication is occurring, AAP will pull the credential for that CI based on the value of the authentication fact from the AAP credential store.  This will allow different credentials to be used for each target.

2.  Why does the customer need this? (List the business requirements here)

Customer has strict password rotation requirements for their target CIs.  Customer will create a credential in AAP for each CI (potentially greater than 15,000 CIs), for fact driven authentication based off the CI name.  They will then create the authentication fact on each CI via ITSM tool, such as ServiceNow inventory integration, to have a value of the credential name in AAP(the server name).  The password will be managed via an API call from their password management tool when it is time for rotation so the password is only updated when it is time for rotation.  By using this methodology, they reduce the hits to their password management tool as there is no need to check out a password many times a day when the password does not change and add efficiency by allowing Ansible to simply decrypt the password for each CI from the existing AAP credential store database.

AAP would need to support large numbers of credential objects, which will get cycled in smaller groups (200 - 500), based on password rotation requirements, so performance of the API to support volume to update the password.

3.  How would you like to achieve this? (List the functional requirements here)

4.  List any affected known dependencies: Doc, UI etc..

Integrations with ITSM and password management tools.

5.  Github Link if any