Configure Ansible Automation Platform to authenticate through service account credentials

If you use any services through the Hybrid Cloud Console, you must manually create a service account to use in place of basic authentication.

This article covers changes you must make if:

• You use Red Hat automation analytics.
• You are an administrator and want to use your service account to manage your subscriptions.

If you use Red Hat Insights to synchronize your inventory or for remediation, follow the steps in this Knowledgebase article: Support for token-based authentication via Service Account for Red Hat Insights in Ansible Automation Platform.

Note: Service account authentication does not affect or change the process for authenticating to automation hub required for syncing content.

Why?

Red Hat puts customer security at the center of its products and services. Therefore, we are implementing token-based service accounts, which offer enhanced security features to better secure customer data.

Prerequisites

To successfully enable authentication with your service account credentials, you must have:

• A service account created in the Hybrid Cloud Console, along with the client ID and client secret produced when you created the service account. Follow the procedure linked in Creating a service account to complete this prerequisite.
• User access to modify the services being automated.

Creating a service account

First, follow the procedure for creating a service account in the Hybrid Cloud Console. When you complete the procedure, you will receive a client ID and client secret. Note that you will not see this information again, so be sure to save your client ID and client secret in a secure place.

Updating your analytics credentials on Ansible Automation Platform

If you use automation analytics to monitor your automation in the Hybrid Cloud Console, you must first grant your service account the correct access. To do so, follow the steps below that correspond to your version of AAP.

Adding your service account to the automation analytics viewer user group

1. Log in to the Red Hat Hybrid Cloud Console.
2. From the Settings drop-down menu, select User Access.
3. On the Identity and Access Management page, navigate to User Access > Groups.
4. Click Create Group.
5. Enter a group name and description, and then click Next.
6. From the list, find the Automation analytics viewer group. Click the check-box next to the group, and then click Next.
7. Click Next again to skip the Add members step.
8. In the dialog labeled Add service accounts, click the check-box next to your service account, and then click Next.
9. Review the details and click Submit.

If successful, you will see a message with the text "Success adding service account to group". Click Exit to complete the process.

Configuring Analytics on Ansible Automation Platform 2.4

Note: In AAP 2.4, you will only see the client ID and client secret fields if you are using controller version 4.5.24 or newer. Entering the client ID and client secret will not work in versions older than 4.5.24.

1. From the navigation panel, select Settings > Miscellaneous Settings.
2. Click Edit.
3. In the field labeled Red Hat client ID for Analytics, enter the client ID you received when you created your service account.
4. In the field labeled Red Hat client secret for Analytics, enter the client secret you received when you created your service account.
5. Beneath Options, select the checkbox to Gather data for Automation Analytics.
6. Click Save.

Configuring Analytics on Ansible Automation Platform 2.5

Note: In AAP 2.5, you will only see the client ID and client secret fields if you are using controller version 4.6.13 or newer. Entering the client ID and client secret will not work in versions older than 4.6.13.

1. From the navigation panel, select Settings > Automation Execution > System.
2. Click Edit.
3. In the field labeled Red Hat client ID for Analytics, enter the client ID you received when you created your service account.
4. In the field labeled Red Hat client secret for Analytics, enter the client secret you received when you created your service account.
5. Beneath Options, select the checkbox to Gather data for Automation Analytics.
6. Click Save.

Configuring Analytics on Ansible Automation Platform 2.6

1. From the navigation panel, select Settings > Automation Execution > System.
2. Click Edit.
3. In the field labeled Red Hat client ID for Analytics, enter the client ID you received when you created your service account.
4. In the field labeled Red Hat client secret for Analytics, enter the client secret you received when you created your service account.
5. Beneath Options, select the checkbox to Gather data for Automation Analytics.
6. Click Save.

Test and Validate Configuration

After configuring the service account, run a test job to ensure everything is set up correctly.

1. From the navigation panel, select Automation Execution > Jobs to launch a job.
2. Monitor analytics at console.redhat.com to confirm that the data is being posted.

Updates to subscription management

When logging in, you can still enter your Red Hat username and password to find and add your subscription to your Ansible Automation Platform instance. However, if you have administrator privileges, you can also use your service account credentials to find and add your subscription.

In order to use your service account to manage your subscriptions, you must give your service account permission to access your subscriptions. You can do this by adding your service account to the Subscriptions viewer user group. Then, you can use your service account credentials to find and add your subscription.

Prerequisites

• Administrative access to Ansible Automation Platform.

Adding your service account to the subscription viewer user group

1. Log in to the Red Hat Hybrid Cloud Console.
2. From the Settings drop-down menu, select User Access.
3. On the Identity and Access Management page, navigate to User Access > Groups.
4. Click Create Group.
5. Enter a group name and description, and then click Next.
6. From the list, find the Subscriptions viewer group. Click the check-box next to the group, and then click Next.
7. Click Next again to skip the Add members step.
8. In the dialog labeled Add service accounts, click the check-box next to your service account, and then click Next.
9. Review the details and click Submit.

If successful, you will see a message with the text "Success adding service account to group". Click Exit to complete the process.

Finding your subscription with your service account credentials

When you log into Ansible Automation Platform for the first time, you will be asked to add your subscription information. Follow the instructions below to find your subscription using your service account credentials.

If you have already added your subscription, you can update your subscription details in the subscription wizard by navigating to Settings > Subscription > Edit subscription.

1. Click the tab labeled Service Account.
2. In the field labeled Client ID, enter the client ID you received when you created your service account.
3. In the field labeled Client secret, enter the client secret you received when you created your service account.
4. Your subscription will appear in the list menu labeled Subscription. Select your subscription.
5. Click Next.
6. Check the box indicating that you agree to the End User License Agreement.
7. Review your information and click Finish.

Note: if your subscriptions do not load, you may not have the correct permissions associated with your service account. To use this method, contact your console.redhat.com organization administrator to have the correct permissions added to your service account.

Additional Resources
See Attaching your Ansible Automation Platform subscription to your instance for other ways to attach your subscription.