Skip to main content

Overview

Credentials store authentication information for external services like cloud providers, SCM systems, machines, and vaults. Credential types define the schema for credential fields.

Endpoints

MethodEndpointDescription
GET/api/v2/credentials/List credentials
POST/api/v2/credentials/Create credential
GET/api/v2/credentials/{id}/Retrieve credential
PATCH/api/v2/credentials/{id}/Update credential
DELETE/api/v2/credentials/{id}/Delete credential
POST/api/v2/credentials/{id}/copy/Copy credential
POST/api/v2/credentials/{id}/test/Test external credential

List Credentials

curl -X GET \
  https://awx.example.com/api/v2/credentials/ \
  -H "Authorization: Bearer YOUR_TOKEN"

Create Credential

curl -X POST \
  https://awx.example.com/api/v2/credentials/ \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "AWS Production",
    "description": "AWS credentials for production",
    "organization": 1,
    "credential_type": 3,
    "inputs": {
      "username": "AKIAIOSFODNN7EXAMPLE",
      "password": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    }
  }'
name
string
required
Credential name
description
string
Credential description
organization
integer
Organization ID (null for personal credentials)
credential_type
integer
required
Credential type ID
inputs
object
required
Credential-specific input fields (varies by credential type)
The inputs object structure depends on the credential type. Use OPTIONS or GET credential_types to see required fields.

Retrieve Credential

curl -X GET \
  https://awx.example.com/api/v2/credentials/5/ \
  -H "Authorization: Bearer YOUR_TOKEN"

Response Schema

id
integer
Credential ID
name
string
Credential name
description
string
Credential description
organization
integer
Organization ID (null for personal)
credential_type
integer
Credential type ID
managed
boolean
Whether credential is managed (read-only if true)
inputs
object
Credential inputs (sensitive fields are encrypted)
kind
string
Human-readable credential kind
cloud
boolean
Whether this is a cloud credential
kubernetes
boolean
Whether this is a Kubernetes credential
related
object
Links to related resources:
  • organization - Parent organization
  • credential_type - Credential type details
  • owner_users - Users who own this credential
  • owner_teams - Teams who own this credential
  • activity_stream - Activity log
  • access_list - Access list
  • object_roles - Available roles
  • copy - Copy endpoint
  • input_sources - Input sources for external credentials

Update Credential

curl -X PATCH \
  https://awx.example.com/api/v2/credentials/5/ \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "description": "Updated description",
    "inputs": {
      "password": "newpassword"
    }
  }'
Managed credentials cannot be modified.

Delete Credential

curl -X DELETE \
  https://awx.example.com/api/v2/credentials/5/ \
  -H "Authorization: Bearer YOUR_TOKEN"

Credential Types

List Credential Types

curl -X GET \
  https://awx.example.com/api/v2/credential_types/ \
  -H "Authorization: Bearer YOUR_TOKEN"

Common Credential Types

Machine (SSH)

{
  "credential_type": 1,
  "inputs": {
    "username": "ansible",
    "password": "secret",
    "ssh_key_data": "-----BEGIN RSA PRIVATE KEY-----...",
    "become_method": "sudo",
    "become_username": "root",
    "become_password": "rootpass"
  }
}

Source Control (Git/SVN)

{
  "credential_type": 2,
  "inputs": {
    "username": "git_user",
    "password": "git_token",
    "ssh_key_data": "-----BEGIN RSA PRIVATE KEY-----..."
  }
}

Amazon Web Services

{
  "credential_type": 3,
  "inputs": {
    "username": "AKIAIOSFODNN7EXAMPLE",
    "password": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "security_token": "temporary-token"
  }
}

Vault

{
  "credential_type": 6,
  "inputs": {
    "vault_password": "vaultpass",
    "vault_id": "dev"
  }
}

Input Sources

List Input Sources

curl -X GET \
  https://awx.example.com/api/v2/credentials/5/input_sources/ \
  -H "Authorization: Bearer YOUR_TOKEN"
Input sources fetch credential data from external systems (CyberArk, Thycotic, HashiCorp Vault, etc.).

Test External Credential

curl -X POST \
  https://awx.example.com/api/v2/credentials/5/test/ \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "metadata": {
      "secret_path": "/path/to/secret"
    }
  }'

Owner Users

curl -X GET \
  https://awx.example.com/api/v2/credentials/5/owner_users/ \
  -H "Authorization: Bearer YOUR_TOKEN"

Owner Teams

curl -X GET \
  https://awx.example.com/api/v2/credentials/5/owner_teams/ \
  -H "Authorization: Bearer YOUR_TOKEN"

Object Roles

curl -X GET \
  https://awx.example.com/api/v2/credentials/5/object_roles/ \
  -H "Authorization: Bearer YOUR_TOKEN"
Available roles:
  • admin_role - Full credential administration
  • use_role - Use credential in jobs
  • read_role - View credential details

Copy Credential

curl -X POST \
  https://awx.example.com/api/v2/credentials/5/copy/ \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "AWS Production Copy"
  }'

Filtering

# By name
?name__icontains=aws

# By organization
?organization=1

# By credential type
?credential_type=3

# Cloud credentials only
?cloud=true

# Kubernetes credentials
?kubernetes=true

# By kind
?kind=ssh

Ordering

# By name
?order_by=name

# By type
?order_by=credential_type__name

# By creation date
?order_by=-created

Security

All sensitive credential fields are encrypted in the database.
The API shows encrypted values as $encrypted$. Actual values are never returned.
Users need the use role to use credentials in jobs, and admin role to view/edit them.
System-managed credentials (managed=true) cannot be modified or deleted.

Complete Example

import requests
import json

base_url = "https://awx.example.com/api/v2"
token = "YOUR_TOKEN"
headers = {
    "Authorization": f"Bearer {token}",
    "Content-Type": "application/json"
}

# Get machine credential type ID
types_response = requests.get(
    f"{base_url}/credential_types/?name=Machine",
    headers=headers
)
machine_type_id = types_response.json()['results'][0]['id']

# Create SSH credential
cred_data = {
    "name": "Production SSH",
    "description": "SSH access to production servers",
    "organization": 1,
    "credential_type": machine_type_id,
    "inputs": {
        "username": "ansible",
        "ssh_key_data": open('~/.ssh/id_rsa').read(),
        "become_method": "sudo"
    }
}

response = requests.post(
    f"{base_url}/credentials/",
    headers=headers,
    data=json.dumps(cred_data)
)

if response.status_code == 201:
    cred = response.json()
    print(f"Created credential {cred['id']}")
    print(f"Inputs (encrypted): {cred['inputs']}")
else:
    print(f"Error: {response.status_code}")
    print(response.json())

Build docs developers (and LLMs) love

Get started for freeTalk to us