Skip to content

Improve the initialization of AAP 2.6 and add to template as well #305

New issue
New issue
Open
Open
Improve the initialization of AAP 2.6 and add to template as well#305
Labels
enhancementNew feature or requestnew
@rathbunr

Description

@rathbunr
rathbunr
opened on Dec 2, 2025

Is your feature request related to a problem? Please describe.

Not a problem, but an opportunity to improve the developer experience. Currently, API token setup for AAP 2.5+ requires manual steps before running config-as-code playbooks. Documenting the token retrieval process for the new Platform Gateway architecture would help users get started faster.

Describe the solution you'd like

Add documentation or a helper playbook demonstrating programmatic token retrieval for all three token types:

  1. Gateway token: POST /api/gateway/v1/tokens/ (basic auth)
  2. Hub token: POST /api/galaxy/v3/auth/token/ (Bearer token from step 1)
  3. Red Hat Console token: POST https://sso.redhat.com/... (service account credentials)

Example workflow:

# 1. Create Gateway token
curl -k -X POST -u 'admin:<password>' \
  https://<aap-gateway>/api/gateway/v1/tokens/ \
  -H "Content-Type: application/json" -d '{}'

# 2. Create Hub token (using Gateway token)
curl -k -X POST \
  -H "Authorization: Bearer <gateway-token>" \
  https://<aap-gateway>/api/galaxy/v3/auth/token/ \
  -H "Content-Type: application/json"

# 3. Get Red Hat Console token (for certified/validated content sync)
# Requires service account from console.redhat.com (Settings > Service Accounts)
curl -X POST https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token \
  -d "grant_type=client_credentials" \
  -d "scope=api.console" \
  -d "client_id=<service-account-client-id>" \
  -d "client_secret=<service-account-client-secret>"

Describe alternatives you've considered

Users can discover this through trial and error or by exploring the API browser. For the console token, users can manually generate an offline token from https://console.redhat.com/ansible/automation-hub/token, but the service account approach enables full automation.

Additional context

AAP 2.5+ API structure:

Service Endpoint Auth Header
Gateway /api/gateway/v1/ Bearer <token>
Controller /api/controller/v2/ Bearer <token>
Hub (Galaxy) /api/galaxy/v3/ Token <token>
EDA /api/eda/v1/ Bearer <token>
Red Hat Console console.redhat.com/api/automation-hub/ Bearer <token>

Tested on AAP 2.6 containerized installation (growth topology).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestnew

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions