External users are not able to create token on Ansible Tower.
Environment
- Ansible Tower 3.8
- Ansible Automation Platform 2.x
Issue
-
When using external users (LDAP, SAML, SSO, Radius, and others) on an Ansible module that creates a token, the task fails with the following message.
TASK [tower_inventory] ************************************************************************************** fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to get token: HTTP Error 403: Forbidden", "response": "{\"detail\":\"(access_denied) OAuth2 Tokens cannot be created by users associated with an external authentication provider (ldap)\"}"} -
OAuth2 Tokens cannot be created by users associated with an external authentication provider
Resolution
-
To change this behavior on Tower, enable the 'ALLOW EXTERNAL USERS TO CREATE OAUTH2 TOKENS ' setting on the Ansible Tower Settings:
Settings > System > ALLOW EXTERNAL USERS TO CREATE OAUTH2 TOKENS > Toggle the button. -
To change this behavior on AAP Controller, enable the 'ALLOW EXTERNAL USERS TO CREATE OAUTH2 TOKENS ' setting on the Ansible Controller Settings:
Settings > Miscellaneous Authentication > ALLOW EXTERNAL USERS TO CREATE OAUTH2 TOKENS > Toggle the button.
Root Cause
- For security reasons, users from external auth providers (LDAP, SAML, SSO, Radius, and others) are not allowed to create OAuth2 tokens. To change this behavior, enable this setting. Existing tokens will not be deleted when this setting is toggled off.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments