Network credential type

You can create Network credential types in automation controller to manage network devices that use Ansible networking modules.

Note

Select the Network credential type if you are using a local connection with provider to use Ansible networking modules to connect to and manage networking devices.

If you assign both a Machine credential and a Network credential to the same job template, automation controller injects them independently. The Machine credential controls SSH authentication, while the Network credential sets the ANSIBLE_NET_USERNAME and ANSIBLE_NET_PASSWORD environment variables.
  • For local connections using provider, credential type should be Network.
  • For all other network connections (httpapi, netconf, and network_cli), the credential type should be Machine.

    For more information about connection types available for network devices, see Multiple Communication Protocols.

    For information on combining credential types, see Using Machine and Network credentials together.

    Automation controller uses the following environment variables for Network credentials:

    ANSIBLE_NET_USERNAME
ANSIBLE_NET_PASSWORD

Provide the following information for network credentials:

  • Username: The username to use in conjunction with the network device.
  • Password: The password to use in conjunction with the network device.
  • SSH Private Key: Copy or drag-and-drop the actual SSH Private Key to be used to authenticate the user to the network through SSH.
  • Private Key Passphrase: The passphrase for the private key to authenticate the user to the network through SSH.
  • Authorize: Select this to control whether or not to enter privileged mode.

Access network credentials in an Ansible Playbook
Copy link

When using the Controller Access Network Credentials credential type, you can access the username and password parameters in your Ansible Playbook by using the following environment variables:

  • ANSIBLE_NET_USERNAME
  • ANSIBLE_NET_PASSWORD

You can get the username and password parameters from a job runtime environment:

vars:
  network:
    username: '{{ lookup("env", "ANSIBLE_NET_USERNAME") }}'
    password: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'

Multiple communication protocols
Copy link

Ansible network modules can communicate with network devices by using different protocols.

Because network modules run on the control node instead of on the managed nodes, they can support multiple communication protocols. The communication protocols (XML over SSH, CLI over SSH, or API over HTTPS) selected for each network module depend on the platform and the purpose of the module. Some network modules support only one protocol, while some offer a choice.

The most common protocol is CLI over SSH. You set the communication protocol with the ansible_connection variable:

Expand
Value of ansible_connection Protocol Requires Persistent?

ansible.netcommon.network_cli

CLI over SSH

network_os setting

yes

ansible.netcommon.netconf

XML over SSH

network_os setting

yes

ansible.netcommon.httpapi

API over HTTP/HTTPS

network_os setting

yes

local

depends on provider

provider setting

no

The ansible_connection: local is deprecated. Use one of the persistent connection types listed above instead. With persistent connections, you can define the hosts and credentials only once, rather than in every task. You must also set the network_os variable for the specific network platform you are communicating with.

Using Machine and Network credentials together
Copy link

You can assign both Machine and Network credentials to a single job template to manage network devices that require multi-hop SSH access, such as connecting through a jumphost.

About this task
Copy link

When you assign multiple credential types to a job template, {ControllerName} injects each credential into the job environment differently:

  • Machine credentials set the SSH username, password, and key used by Ansible Automation Platform to connect to hosts. These values are passed through the ansible -u flag and SSH authentication.
  • Network credentials set the ANSIBLE_NET_USERNAME and ANSIBLE_NET_PASSWORD environment variables, which Ansible Automation Platform networking modules use to authenticate to network devices.
Note
The credential type must match the connection type used by the network device:
  • For local connections using provider, use the Network credential type
  • For httpapi, netconf, and network_cli connections, use the Machine credential type, not the Network credential type.

Prerequisites

  • You have created a Machine credential for the jumphost or bastion host.
  • You have created a Network credential for the target network device (if using local connection with provider), or a second Machine credential (if using network_cli, netconf, or httpapi).
  • Your inventory is configured with appropriate connection variables, such as ansible_ssh_common_args for ProxyCommand settings

Procedure
Copy link

  1. From the navigation panel, select Automation execution > Templates.
  2. Create or edit a job template.
  3. In the Credentials field, select the Search icon icon.
  4. Add the Machine credential for the jumphost.
  5. Add the Network credential for the network device (or a second Machine credential, depending on your connection type).
  6. Configure your inventory or playbook variables with the appropriate SSH proxy settings. For example, to use a jumphost with ProxyCommand:
    ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user@gateway.example.com"
  7. Click Save and then Launch template.

What to do next
Copy link

Verification

Review the job output to confirm that both credentials were injected and the playbook successfully authenticated to the target network devices through the jumphost.