Red Hat SummitClaims for workload identity
Ansible Automation Platform uses OpenID Connect (OIDC) and short-lived JSON Web Tokens (JWTs) with digitally signed claims to verify identity across systems. Understanding this claims structure allows you to create secure access control policies.
Example claims
Copy linkLink copied!
The example shows a JWT payload including standard and custom claim definitions describing an automation controller job.
{
"jti": "12345678-90ab-cdef-0808-aabbccddeeff",
"iss": "https://app.ansible.com/o",
"aud": "https://vault.example.com:8200",
"iat": 1234567890,
"exp": 1234567890,
"sub":
"workload_type:aap_controller_automation_job:organization:my-org:job_template:my-template",
"aap_controller_job_id": "42"
"aap_controller_job_name": "Deploy Web Server"
"aap_controller_job_type": "run"
"aap_controller_launch_type": "manual"
"aap_controller_playbook_name": "deploy.yml"
"aap_controller_launched_by_name": "alice"
"aap_controller_launched_by_id": "7"
"aap_controller_organization_name": "Default"
"aap_controller_organization_id": "1"
"aap_controller_inventory_name": "Production Inventory"
"aap_controller_inventory_id": "5"
"aap_controller_execution_environment_name": "Default EE"
"aap_controller_execution_environment_id": "3"
"aap_controller_project_name": "Infrastructure Project"
"aap_controller_project_id": "17"
"aap_controller_job_template_name": "Deploy Template"
"aap_controller_job_template_id": "21"
"aap_controller_unified_job_template_name": "Unified Deploy Template"
"aap_controller_unified_job_template_id": "55"
"aap_controller_instance_group_name": "Group 1"
"aap_controller_instance_group_id": "9"
}Standard Claims
Copy linkLink copied!
The following table shows the standard JWT claims.
Expand
| Claim | Value |
|---|---|
| j(Jti WT ID) | A unique identifier for each JWT. |
| iss (issuer) | The URL of the Ansible Automation Platform OIDC provider (for example, https://aap.example.com/o). |
| iat (issued at) | UNIX timestamp when the JWT was issued. |
| aud (audience) | The intended recipient of the JWT, such as a HashiCorp Vault instance. This is set to the value of the Vault Server URL. |
| exp (expiration) | UNIX timestamp that determines when the token expires. This is calculated based on the job’s configured timeout. The platform fallback defaults to 5 minutes (plus 1 minute for clock skew), and is configurable by administrators. |
| sub (subject) | Uniquely identifies the automation workload. It follows the format: workload_type:aap_controller_automation_job:organization:<org>:job_template:<template>. |
Custom claims
Copy linkLink copied!
The following table shows the Ansible Automation Platform custom claims that are included in JWT issued by Ansible Automation Platform.
These claims provide granular workload metadata, including organization, project, and inventory details. Custom claims are grouped into scope definitions. The platform currently defines an aap_controller_automation_job scope, which includes the following claims that describe an AAP Automation Controller Job workload.
| Claim | Value |
|---|---|
aap_controller_job_id |
Unique identifier of the controller job. |
aap_controller_job_name |
Name of the job template or project sync job being executed. |
aap_controller_job_type |
Type of job being performed, such as run or cleanup. |
aap_controller_launch_type |
How the job was initiated, such as manual, scheduled, webhook, or workflow. |
aap_controller_playbook_name |
Name of the playbook being executed in the job. |
aap_controller_launched_by_name |
Username or system entity name that initiated the job run. |
aap_controller_launched_by_id |
Unique identifier of the user or entity that launched the job. |
aap_controller_organization_name |
Name of the organization. |
aap_controller_organization_id |
Unique identifier of the organization. |
aap_controller_inventory_name |
Name of the inventory used in the job. |
aap_controller_inventory_id |
Unique identifier of the inventory used in the job. |
aap_controller_execution_environment_name |
Name of the execution environment used in the job. |
aap_controller_execution_environment_id |
Unique identifier of the execution environment used in the job. |
aap_controller_project_name |
Name of the project used in the job. |
aap_controller_project_id |
Unique identifier of the project used in the job. |
aap_controller_job_template_name |
Name of the job template used to launch the job. |
aap_controller_job_template_id |
Unique identifier of the job template used. |
aap_controller_unified_job_template_name |
Name of the unified job template used to launch the job. |
aap_controller_unified_job_template_id |
Unique identifier of the unified job template. |
aap_controller_instance_group_name |
Name of the instance group used in the job. |
aap_controller_instance_group_id |
Unique identifier of the instance group used in the job. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}