Configure Ansible Automation Platform to authenticate through service account credentials

Updated -

Beginning with Ansible Automation Platform 2.5-13, the Red Hat Hybrid Cloud Console will deprecate basic authentication. If you use any services through the Hybrid Cloud Console, you must manually create a service account to use in place of basic authentication.

This article covers changes you must make if:

  • You use Red Hat automation analytics.
  • You are an administrator and want to use your service account to manage your subscriptions.

If you use Red Hat Insights to synchronize your inventory or for remediation, follow the steps in this Knowledgebase article: Support for token-based authentication via Service Account for Red Hat Insights in Ansible Automation Platform.

Why?

Red Hat puts customer security at the center of its products and services. Therefore, we are implementing token-based service accounts to replace basic authentication. Service accounts offer enhanced security features to better secure customer data.

Prerequisites

To successfully enable authentication with your service account credentials, you must have:

  • A service account created in the Hybrid Cloud Console, along with the client ID and client secret produced when you created the service account. Follow the procedure linked in Creating a service account to complete this prerequisite.
  • User access to modify the services being automated.

Creating a service account

First, follow the procedure for creating a service account in the Hybrid Cloud Console. When you complete the procedure, you will receive a client ID and client secret. Note that you will not see this information again, so be sure to save your client ID and client secret in a secure place.

Updating your analytics credentials on Ansible Automation Platform

If you use automation analytics to monitor your automation in the Hybrid Cloud Console, you must first grant your service account the correct access. Then, follow the steps below that correspond to your version of AAP.

Adding your service account to the automation analytics viewer user group

  1. Log in to the Red Hat Hybrid Cloud Console.
  2. From the Settings drop-down menu, select User Access.
  3. On the Identity and Access Management page, navigate to User Access > Groups.
  4. Click Create Group.
  5. Enter a group name and description, and then click Next.
  6. From the list, find the Automation analytics viewer group. Click the check-box next to the group, and then click Next.
  7. Click Next again to skip the Add members step.
  8. In the dialog labeled Add service accounts, click the check-box next to your service account, and then click Next.
  9. Review the details and click Submit.

If successful, you will see a message with the text "Success adding service account to group". Click Exit to complete the process.

If you are unable to complete this procedure, see Troubleshooting.

Analytics on Ansible Automation Platform 2.4

  1. From the navigation panel, select Settings > Miscellaneous Settings.
  2. Click Edit.
  3. In the field labeled Red Hat client ID for Analytics, enter the client ID you received when you created your service account.
  4. In the field labeled Red Hat client secret for Analytics, enter the client secret you received when you created your service account.
  5. Beneath Options, select the checkbox to Gather data for Automation Analytics.
  6. Click Save.

Analytics on Ansible Automation Platform 2.5

  1. From the navigation panel, select Settings > Automation Execution > System.
  2. Click Edit.
  3. In the field labeled Red Hat client ID for Analytics, enter the client ID you received when you created your service account.
  4. In the field labeled Red Hat client secret for Analytics, enter the client secret you received when you created your service account.
  5. Beneath Options, select the checkbox to Gather data for Automation Analytics.
  6. Click Save.

Test and Validate Configuration

After configuring the service account, run a test job to ensure everything is set up correctly.

  1. From the navigation panel, select Automation Execution > Jobs to launch a job.
  2. Monitor analytics at console.redhat.com to confirm that the data is being posted.

Updates to subscription management

When logging in, you can still enter your Red Hat username and password in the client ID and client secret fields, respectively, to find and add your subscription to your Ansible Automation Platform instance. However, if you have administrator privileges, you can also use your service account credentials to find and add your subscription.

In order to use your service account to manage your subscriptions, you must give your service account permission to access your subscriptions. You can do this by adding your service account to the Subscriptions viewer user group. Then, you can use your service account credentials to find and add your subscription.

Prerequisites

  • Administrative access to Ansible Automation Platform.

Adding your service account to the subscription viewer user group

  1. Log in to the Red Hat Hybrid Cloud Console.
  2. From the Settings drop-down menu, select User Access.
  3. On the Identity and Access Management page, navigate to User Access > Groups.
  4. Click Create Group.
  5. Enter a group name and description, and then click Next.
  6. From the list, find the Subscriptions viewer group. Click the check-box next to the group, and then click Next.
  7. Click Next again to skip the Add members step.
  8. In the dialog labeled Add service accounts, click the check-box next to your service account, and then click Next.
  9. Review the details and click Submit.

If successful, you will see a message with the text "Success adding service account to group". Click Exit to complete the process.

If you are unable to complete this procedure, see Troubleshooting.

Finding your subscription with your service account credentials

When you log into Ansible Automation Platform for the first time, you will be asked to add your subscription information. Follow the instructions below to find your subscription using your service account credentials.

If you have already added your subscription, you can update your subscription details in the platform by navigating to Settings > Subscription > Edit subscription.

  1. Click the tab labeled Service Account / Red Hat Satellite.
  2. In the field labeled Client ID/Satellite Username, enter the client ID you received when you created your service account.
  3. In the field labeled Client secret/Satellite password, enter the client secret you received when you created your service account.
  4. Your subscription will appear in the list menu labeled Subscription. Select your subscription.
  5. Click Next.
  6. Check the box indicating that you agree to the End User License Agreement.
  7. Review your information and click Finish.

Troubleshooting

If you enter your client ID and client secret but are unable to locate your subscription, you may not have the correct permissions set on your service account. To remediate this issue, you have two options:

  • If you know who your organization administrator is, contact them with a request for access.
  • If you do not know who your organization administrator is, message the Virtual Assistant on console.redhat.com with the prompt “Who is my Org Admin,” and then follow the subsequent prompts. You can find the Virtual Assistant by clicking the red VA icon at the bottom right of the home screen on the Hybrid Cloud Console. The Virtual Assistant will then communicate with your organization administrator.

When requesting access, be prepared to give the following information so that your organization administrator can evaluate your request and make a determination.

  • Your account number and org ID, if known.
  • A clear description of the tasks you need to perform. In this case, you are requesting that your org admin grant your service account access to view subscriptions so that you can link the appropriate one to your AAP instance.
  • The specific permissions you believe are required. In this case, subscription viewer permission.

Important
Note the following when making your access request:

  • Be specific: clearly articulate the tasks you need to accomplish to ensure your org admin assigns the correct permissions.
  • Be patient: permission changes may take some time based on the Org Admin’s availability and existing workloads/priorities.
  • Be careful: elevated permissions come with increased responsibility. Please remember to adhere to all security best practices.

Comments