CyberArk & Red Hat Ansible Tower – Integrating w/ Tower Out of the Box


    In this video, I will show you how to integrate Red Hat Ansible Tower v3.5.1 or above with CyberArk’s AAM Central Credential Provider (CCP) and Conjur Enterprise & Open Source. I will go over how to setup Ansible Tower’s access in both solutions, how to extend Role-Based Access Controls into Ansible Tower for Segregation of Duties between teams and how to extend that into CyberArk’s products.

    Playbooks Used:
    Red Hat Ansible:


    Previous articleComo monitorear Proxmox con Zabbix explicado paso a paso en español
    Next articleAnsible | How to copy files using Ansible Playbook | Linux Automation


    1. It was an nice demo Joe ,I have a query..if CCP & DAP both has ability to secure the secrets then in which area we can distinguish it..can we use only CCP for ansible integration to securely retrieve the password ,or do u think any other usecase that DAP only fit for ansible to retrieve the secrets..please suggest

    2. Hi Joe . excellent presentation and I am sure it will be very much useful. I have couple of queries

      1) Does it possible to configure access to AIM CCP from ansible tower through multiple jump servers. if direct connectivity from ansible tower to AIM CCP url is not allowed
      and if ues then iI how to do it
      2) How to setup client certification authentication in ansible tower as a part of cyberark credential config

    3. This was very helpful Joe, thank you! I have a question though, we are using CCP and we were able to test it out just fine with one host in inventory for a template. Now we have multiple (2) hosts in inventory which is selected for a specific template but it fails because of the "Object Query" selected to be "Exact" with the fields of Safe=SAFENAME;[email protected] is selective for one host in the inventory list and not the other host. I was reading documentation that this can change to be dynamic by changing the format from "Exact" to "Regexp"? I think this is what we are looking at where object name can dynamically be updated which will help limit the amount of credentials folks need to make. Do you have any info on this?