Skip to main content
Connect your Ansible AWX server to enable CloudThinker agents to launch job templates, monitor jobs, manage inventories and hosts, sync projects, and orchestrate automation workflows. AWX authenticates with a user access token scoped to read or write operations.

Prerequisites

  • A self-hosted AWX or Ansible Automation Platform (Controller/Tower) instance reachable from CloudThinker over HTTPS.
  • An AWX user with access to the organizations and inventories CloudThinker should reach.

Setup

1

Sign in to AWX

Sign in to your AWX web interface. Use a dedicated user scoped to only the organizations and inventories CloudThinker needs.
2

Create an access token

Go to Access → Users, open your user, select the Tokens tab, and click Add:
  • Application: leave empty
  • Scope: Write for full operations, or Read for monitoring only
Copy the token — AWX shows it only once.
3

Add the connection in CloudThinker

Navigate to Connections → AWX and enter:
  • TOWER_HOST: your AWX address, e.g. https://awx.your-domain.com
  • TOWER_OAUTH_TOKEN: the token from the previous step
Click Connect. CloudThinker verifies the credentials and shows a Connected status.

Connection details


Required permissions

What agents can do depends on the token scope.
  • Read — list jobs, inspect inventories, check project status, review schedules, and view configuration.
  • Write — all read operations plus launching jobs, running ad-hoc commands, controlling running jobs, syncing projects, and managing hosts, groups, and schedules.
Use a Read-scoped token for monitoring only; add Write scope when agents need to launch or modify resources, and keep those actions approval-gated in CloudThinker.

Agent capabilities

What agents can do depends on the token’s scope. Read — monitoring & inspection: Write — adds operations (requires approval): Administrative resources (organizations, teams, users, and RBAC) are out of scope for agent operations.

Verify the connection

Example prompts


Troubleshooting

Verify the AWX URL is reachable from CloudThinker over HTTPS. Confirm the token has not expired or been revoked — create a new token if needed and reconnect.
The token’s scope does not allow the requested action. Use a Write-scoped token for launch, sync, or management operations, and confirm the user has access to the target organization or inventory.
The token’s user lacks visibility into the requested resources. Grant access to the relevant organizations and inventories in AWX, then retry.

Security

  • Least privilege — grant only the permissions the agents need for your use case; start read-only and widen later.
  • Read-only by default — use read-only credentials unless you want agents to make changes through this connection.
  • Rotate credentials — rotate keys and tokens on your normal schedule; CloudThinker picks up the new value when you update the connection.
  • Revoke on offboarding — remove the credential at the provider when you delete a connection or a teammate leaves.
  • Write scope only when needed — use a Read-scoped token for monitoring; only enable Write scope when agents need to launch or modify resources.
  • HTTPS only — always use an HTTPS AWX URL; plaintext connections expose the access token.

https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/argocd.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=34c7a30ed3772de41da3c56cb43396b3

ArgoCD Connection

GitOps operations and application management
https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/jenkins.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=871f9df2f5553b663f1b5c33f11bf5da

Jenkins Connection

CI/CD pipeline monitoring and job operations