Ansible Ansible Tower & AWX

Running Ansible from the command line is perfectly fine for one engineer working alone. But when multiple engineers need to run playbooks, when non-technical stakeholders need to trigger deployments, when an organisation needs audit logs and role-based access control, and when playbooks need to run on schedules or in response to events — that is when Ansible Tower (the enterprise product) or AWX (the open-source upstream) becomes essential. This lesson gives you a practical understanding of what Tower and AWX provide and how to work with them.

Tower vs AWX: What Is the Difference

AWX is the open-source, community-supported project from which Ansible Tower is built. Tower is the Red Hat-supported enterprise product with additional features including high availability, compliance certifications, and commercial support agreements. Ansible Automation Platform is the broader enterprise offering that includes Tower, a private content hub, and event-driven automation.

For learning purposes, AWX provides all the core functionality of Tower for free. You can run AWX in Docker or Kubernetes. The concepts, API, and UI are nearly identical between AWX and Tower.

Core AWX/Tower Concepts

Organisations

The top-level organisational unit. All other objects (inventories, projects, credentials, job templates) belong to an organisation. In multi-team environments, separate organisations provide isolation between teams.

Inventories

Tower manages inventories through its web interface or API. Static inventories are defined directly in the UI. Dynamic inventories use credential-backed inventory sources that query cloud providers on demand. Tower's smart inventories filter and combine inventory sources using Boolean expressions.

Projects

A project is a link to an Ansible playbook repository — typically a Git repository (GitHub, GitLab, Bitbucket, or self-hosted). Tower automatically syncs the project when the branch is updated, making the latest playbooks available for execution. Project sync can be triggered manually, on a schedule, or via webhook on code push.

Credentials

Tower stores credentials (SSH keys, cloud provider API keys, Vault passwords, network device passwords) in an encrypted database using AES encryption. Credentials are attached to job templates at configuration time — operators who run jobs never see the underlying credential values. This separation of duties is a critical security control in enterprise environments.

Job Templates

A Job Template is a saved configuration for running a specific playbook: which inventory, which playbook, which credentials, which extra variables, which limit, and which tags. Job Templates are the primary interface through which operators trigger automation. A single template can be run repeatedly with consistent settings, and it produces an immutable job record every time it runs.

Workflows

Workflow Templates chain multiple Job Templates together with conditional branching — run Template A, and if it succeeds run Template B, but if it fails run Template C (the rollback). Workflows enable complex multi-stage deployments with automatic rollback without writing any code.

Installing AWX with Docker Compose

# Clone the AWX repository
git clone https://github.com/ansible/awx.git
cd awx

# Use the official installer
pip3 install ansible
ansible-playbook -i installer/inventory installer/install.yml

Alternatively, deploy AWX on Kubernetes using the AWX Operator:

kubectl apply -f https://raw.githubusercontent.com/ansible/awx-operator/main/deploy/awx-operator.yaml

After installation, AWX is accessible at http://your-server:80 with default credentials admin/password. Change the password immediately.

Setting Up a Job Template: Step by Step

  1. Create an Organisation: Resources → Organisations → Add
  2. Add a Credential: Resources → Credentials → Add → Machine credential type → upload SSH private key
  3. Add a Project: Resources → Projects → Add → Source Control Type: Git → paste your GitHub repository URL
  4. Create an Inventory: Resources → Inventories → Add → Add Hosts manually or configure a cloud source
  5. Create a Job Template: Resources → Templates → Add → Job Template → select Project, Playbook, Inventory, and Credentials
  6. Launch the Template: Click the rocket icon → confirm options → Launch

The Tower API

Every action in Tower's UI has an equivalent API call. This enables triggering deployments programmatically from CI/CD systems, monitoring tools, or custom scripts:

curl -X POST \
  https://tower.example.com/api/v2/job_templates/42/launch/ \
  -H "Authorization: Bearer your-token" \
  -H "Content-Type: application/json" \
  -d '{"extra_vars": {"version": "2.5.1", "environment": "production"}}'

The Tower API is comprehensive — you can create inventories, sync projects, retrieve job results, and manage every Tower resource programmatically. This API is how AWX/Tower integrates with Jira, ServiceNow, PagerDuty, and other enterprise tooling.

Role-Based Access Control

Tower implements fine-grained RBAC. Users can be granted roles at the object level:

  • Admin: Full control of the object
  • Use: Can use the credential or inventory in job templates
  • Execute: Can launch a job template
  • Read: Can view but not modify or use

A typical enterprise setup: junior engineers have Execute on staging job templates only; senior engineers have Execute on production templates; infrastructure architects have Admin on all resources.

Notifications

Tower can send notifications on job success, failure, or both through Slack, email, PagerDuty, Microsoft Teams, and custom webhooks. Configure notifications on job templates to ensure the right people are informed about deployment outcomes without monitoring the Tower UI manually.

Try This: Set Up AWX and Run Your First Job

Install AWX using Docker Compose on your lab control node. Create an Organisation, add your SSH credential, connect your GitHub repository as a Project, create an inventory with your three lab VMs, and create a Job Template pointing to your LAMP stack playbook. Launch the job and observe the real-time output in the Tower UI. Configure a Slack notification for job completion. This hands-on experience with the Tower workflow is directly applicable to enterprise Ansible environments.

Summary

Ansible Tower and AWX provide a centralised web interface and API for managing Ansible at enterprise scale. Core concepts include Organisations, Projects (Git-backed), Inventories, Credentials (encrypted), Job Templates (saved playbook configurations), and Workflows (multi-step conditional automation chains). RBAC controls who can run which automation. The Tower API enables integration with external tooling. AWX is the free open-source equivalent of Tower and is ideal for learning and small deployments.

Previous lessons
Back to courses
Next lessons

Leave a Comment