Ansible Tower / Automation Controller
Red HatCI/CD3 credentials
OAuth2 / Personal Access Token
ansible-tower / oauth2-token
Ansible Tower and Automation Controller support OAuth2 token authentication for API access. Tokens are used by CLI, API clients, and automation integrations instead of passwords.
Location
AuthorizationBearer token used for Automation Controller API requests
controller database tables storing OAuth applications and tokens
TOWER_OAUTH_TOKEN, CONTROLLER_OAUTH_TOKEN, AWX_TOKENawx CLI config, automation scripts, .env files, and CI manifests
CI/CD variables, credential stores, Kubernetes Secrets, and cloud secret managers
playbooks, tests, and committed API clients
API client traces and CI output
Notes
Token privileges follow the owning user, OAuth application, scopes, and RBAC configuration.
Administrator/User Password
ansible-tower / admin-user-password
Automation Controller users authenticate to the web UI and API through local, LDAP, SAML, or other configured authentication backends. Local admin credentials are created during installation or provisioning.
Location
controller database user tables and password verifier state for local accounts
Automation Controller UI and APIADMIN_PASSWORD, TOWER_ADMIN_PASSWORD, CONTROLLER_ADMIN_PASSWORDinstaller inventory secrets, Kubernetes Secrets, Ansible Vault, and password managers
installer inventories, playbooks, tests, and committed variables
installer logs, setup output, and authentication traces
Notes
There is no universal Tower administrator password; it is generated or set during deployment.
Stored Automation Credential
ansible-tower / stored-credential-secret
Automation Controller stores machine, SCM, cloud, vault, and custom credentials for use by jobs. Red Hat documentation covers secret handling for sensitive values in the controller.
Location
controller database storing encrypted credential fields
Ansible Vault, Kubernetes Secrets, external credential plugins, and cloud secret managers
installer inventory, controller settings, and credential plugin configuration
exported surveys, test fixtures, and accidentally committed inventories
job output, callback logs, and debugging traces if no_log is missing
Notes
Stored credentials may be SSH private keys, sudo passwords, cloud keys, SCM tokens, vault passwords, and arbitrary integration secrets.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.