Prerequisites
- A self-hosted AWX or Ansible Automation Platform (Controller/Tower) instance reachable from CloudThinker over HTTPS.
- An AWX user with access to the organizations and inventories CloudThinker should reach.
Setup
1
Sign in to AWX
Sign in to your AWX web interface. Use a dedicated user scoped to only the organizations and inventories CloudThinker needs.
2
Create an access token
Go to Access → Users, open your user, select the Tokens tab, and click Add:
- Application: leave empty
- Scope: Write for full operations, or Read for monitoring only
3
Add the connection in CloudThinker
Navigate to Connections → AWX and enter:
- TOWER_HOST: your AWX address, e.g.
https://awx.your-domain.com - TOWER_OAUTH_TOKEN: the token from the previous step
Connection details
Required permissions
What agents can do depends on the token scope.- Read — list jobs, inspect inventories, check project status, review schedules, and view configuration.
- Write — all read operations plus launching jobs, running ad-hoc commands, controlling running jobs, syncing projects, and managing hosts, groups, and schedules.
Agent capabilities
What agents can do depends on the token’s scope. Read — monitoring & inspection:
Write — adds operations (requires approval):
Administrative resources (organizations, teams, users, and RBAC) are out of scope for agent operations.
Verify the connection
Example prompts
Troubleshooting
Connection or authentication failed
Connection or authentication failed
Verify the AWX URL is reachable from CloudThinker over HTTPS. Confirm the token has not expired or been revoked — create a new token if needed and reconnect.
Permission denied
Permission denied
The token’s scope does not allow the requested action. Use a Write-scoped token for launch, sync, or management operations, and confirm the user has access to the target organization or inventory.
Empty results
Empty results
The token’s user lacks visibility into the requested resources. Grant access to the relevant organizations and inventories in AWX, then retry.
Security
- Least privilege — grant only the permissions the agents need for your use case; start read-only and widen later.
- Read-only by default — use read-only credentials unless you want agents to make changes through this connection.
- Rotate credentials — rotate keys and tokens on your normal schedule; CloudThinker picks up the new value when you update the connection.
- Revoke on offboarding — remove the credential at the provider when you delete a connection or a teammate leaves.
- Write scope only when needed — use a Read-scoped token for monitoring; only enable Write scope when agents need to launch or modify resources.
- HTTPS only — always use an HTTPS AWX URL; plaintext connections expose the access token.
Related
ArgoCD Connection
GitOps operations and application management
Jenkins Connection
CI/CD pipeline monitoring and job operations