Red Hat SummitChapter 7. Deploying Ansible MCP server on Ansible Automation Platform
As an organization administrator, you can deploy an Ansible Model Context Protocol (MCP) server on an operator-based installation or container-based installation of Ansible Automation Platform 2.6. This functionality is available as a Technology Preview release.
7.1. Overview
Model Context Protocol (MCP) is an open standard that enables AI models to use external AI tools and services via a unified interface. Using the Ansible MCP server, you can connect your Ansible Automation Platform with your preferred external AI tool (such as Claude, Cursor, or ChatGPT). The AI tools can access key information about your Ansible Automation Platform environment and perform tasks. Ansible users can query information, execute workflows, and perform automation tasks using natural language prompts directly within their preferred AI tool.
Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
7.1.1. Benefits
The following are the benefits of the Ansible MCP server:
For external AI tools:
- Provides a standardized interface for securely querying infrastructure data and executing automation workflows within the Ansible Automation Platform.
- Enables agentic workflows to interact with the Ansible Automation Platform.
For Ansible users:
- Provides the ability to use the chatbot interface of their preferred external AI tool to get information about their Ansible Automation Platform environment, and run automation jobs directly through that tool.
For developers:
- Reduces the time and complexity of developing or integrating the Ansible Automation Platform with AI applications or agents.
- Simplifies AI integration, enabling existing automation through Ansible Automation Platform to be exposed to AI tools without writing custom API code or middleware.
7.1.2. Workflow
The standalone Ansible MCP server functions as a secure link between your external AI clients and the Ansible Automation Platform. The AI agent accesses underlying infrastructure only when the Ansible MCP server has appropriate permissions.
The following describes the workflow:
- AI client (The requester): The user initiates a request through their external AI agent (for example, Cursor or Claude) using natural-language prompts.
- The AI model (The translator): The AI agent receives the request, interprets the intent, and maps it to the appropriate exposed Ansible toolset. It then sends a structured toolset call with the necessary parameters.
- Ansible MCP server (The gatekeeper): Upon receiving the call, the Ansible MCP server validates the request. It uses the user’s API token to authenticate with the automation controller.
- Ansible controller (The executor): The automation controller accepts the validated command from the MCP server and triggers the appropriate automation job.
- Response loop: The automation result is returned to the Ansible MCP server, standardized into a format the AI agent can process, and displayed to the user via the AI client.
Both the Ansible MCP server and the Ansible Automation Platform UI access the Ansible Automation Platform API. However, because the AI tool processes the API output before displaying it in its chat interface, you might observe different results when comparing the output from the AI tool with the Ansible Automation Platform UI.
7.1.3. Ansible MCP server toolsets
The Ansible MCP server provides a pre-configured suite of toolsets that effectively act as a bridge between your preferred AI agent and the Ansible Automation Platform. Once configured, these toolsets enable your AI agent to perform specific, authorized actions without requiring you to leave the chat interface.
The Ansible MCP server turns your AI agent from a passive assistant into an active operator that can interact with your Ansible Automation Platform infrastructure and execute workflows or automate tasks based on the permissions you define.
The following toolsets are available in this Technology Preview release:
| Toolset | Description | Usage examples |
|---|---|---|
| Job management | Tools to list available job templates, launch automation jobs, and monitor their real-time status. | Operators can:
|
| Inventory management | Tools to query your inventory for host details, check group membership, and verify system facts. | Operators can:
|
| System monitoring | Tools to retrieve job logs, troubleshoot failed tasks, and check the health of your automation environment. | Administrators can:
|
| User management | Tools to allow the AI agent to administer access and organizational structure within the Ansible Automation Platform. | Administrators can:
|
| Security/compliance | Tools that enable the AI agent to act as a security operator, managing sensitive credentials and verifying platform integrity without exposing raw secrets. | Operators can:
Administrators can:
|
| Platform configuration | Tools that enable organization administrators and developers to inspect and tune the Ansible Automation Platform infrastructure itself. | Administrators can:
Developers can:
|
7.1.4. Server-level and user-level permissions
The Ansible MCP server employs a dual-layer security model to ensure safe integration between AI tools and your Ansible Automation Platform infrastructure. This approach combines a global administrative safeguard with the granular Role-Based Access Control (RBAC) of the Ansible Automation Platform.
You can grant the following access types to the Ansible MCP server:
Server-level permissions: Organization administrators assign a global-level permission while deploying the Ansible MCP server. Administrators can choose one of the following access levels:
- Read-only access: The default setting that enforces a strict "look but do not touch" policy. The AI agent can retrieve system data, such as logs and inventory, but the agent cannot launch jobs or modify configurations. This global safeguard overrides all individual user permissions to prevent unintended automation.
- Read-write access: This setting authorizes the AI agent to make changes in your Ansible Automation Platform, such as executing job templates, managing resources, and applying infrastructure changes. However, these actions are subject to the specific RBAC permissions of the user-provided API token.
User-level permissions: The AI agent’s specific capabilities are inherited from the user account that generated the authentication API token.
- Inherited permissions: The AI tool inherits the user’s permissions and performs only the actions the user is authorized to perform. For example, if the user’s token only has permissions to view the "network" inventory, the AI tool cannot access or modify the "database" inventory even if the user requests it.
- Rejection of unauthorized actions: If the AI tool attempts an action (like launching a job) that the user’s token is not authorized to perform, the Ansible Automation Platform API rejects the request.
Enabling read-write access for the Ansible MCP server grants the AI agent autonomy to directly make changes in your Ansible Automation Platform environment, for example, executing automation jobs. The AI agent can directly make changes in your Ansible Automation Platform environment only if the user has write permissions. Large Language Models (LLMs) can occasionally misinterpret prompts or hallucinate commands. Therefore, enabling read-write access may introduce a risk of unintended changes to your environment.
7.1.5. Telemetry data collection for Ansible MCP server
Red Hat collects anonymized telemetry data from the Ansible MCP server. The telemetry data includes metrics related to MCP server performance, adoption trends, and usage patterns.
Telemetry data will be automatically collected for Ansible MCP server deployments using Ansible Automation Platform patch release on 21 January 2026 and later versions. Red Hat will use this data to monitor the operational health of your MCP servers and to ensure the long-term scalability of the MCP ecosystem.
Telemetry data collection cannot be disabled, but strict user privacy is maintained. Red Hat does not collect users' personal information, such as usernames or passwords. If any personal information is inadvertently received, the data is deleted. Refer to the Red Hat Privacy Statement for more information about Red Hat’s privacy practices.
7.1.6. Prerequisites
- Platform version: An instance of Ansible Automation Platform 2.6 or later.
Deployment environment:
- OpenShift: Access to an OpenShift cluster with permissions to install operators.
- Containerized: A supported container runtime.
- Access credentials: A valid user or service account within Ansible Automation Platform with permissions to execute the desired automation jobs. You will need to generate an API token for this account.
7.1.7. Process
Perform the following tasks to deploy and configure an Ansible MCP server and integrate it with your preferred AI tool:
| Step number | Task | Description |
|---|---|---|
| 1 | Deploy and configure an Ansible MCP server on operator-based installation. | An organization administrator deploys and configures the Ansible MCP server on an operator-based installation of Ansible Automation Platform 2.6. |
| 2 | An Ansible user creates an API token for their Ansible Automation Platform instance and uses it to connect to their preferred AI tool. The AI tools will inherit the user’s permissions for authentication using the API token. | |
| 3 | The Ansible user then configures an external AI tool with the Ansible MCP server’s API token, enabling the AI tool to connect to the Ansible MCP server and execute workflows and automate tasks. |
7.2. Deploying an Ansible MCP server on an operator-based installation
As an organization administrator, you can deploy and configure an Ansible MCP server on an operator-based installation of Ansible Automation Platform 2.6. Use the following procedure to deploy and configure the Ansible MCP server.
Prerequisites
- You have a valid Ansible Automation Platform 2.6 subscription.
Procedure
- Log in to Red Hat OpenShift Container Platform as an administrator.
- Navigate to the namespace where you want to install the MCP server.
-
Select
. - From the list of installed operators, select Ansible Automation Platform.
- In the Ansible Automation Platform tile, click Create instance.
-
From the Configure via field, select the Form view, then provide the instance name. For example,
aap-mcp. Select the YAML view, and replace the
spec:section with the following snippet:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ImportantUse the
allow_write_operationsvariable to configure the operational access level of the Ansible MCP server:-
Read-only access: Set the variable to
falseto restrict the AI agent to viewing data only. In this mode, the AI tool can query job statuses and logs, but cannot trigger new automation in the Ansible Automation Platform. The MCP server is set to read-only mode by default. -
Read-write access: Set the variable to
trueto allow the AI agent to make changes in Ansible Automation Platform, such as executing jobs or modifying the system state.
-
Read-only access: Set the variable to
- Click Create. The Ansible MCP server is created.
Optional: If you changed the permissions of the Ansible MCP server after it was created and deployed, you must delete the AnsibleMCPServer custom resource and recreate it.
Perform the following steps:
- Go to the Ansible Automation Platform portal.
- Under Resources, search for the AnsibleMCPServer custom resource.
-
Select the active AnsibleMCPServer instance. An active AnsibleMCPServer instance is identified by the
-mcpsuffix appended to the Ansible Automation Platform custom resource name. - Select the Settings menu on the right side of the instance, and then click Delete AnsibleMCPServer.
- After the reconciliation process completes, the existing MCP server instance is deleted, and a new Ansible MCP server instance is created.
Verification
-
Navigate to
. -
Check that the deployment you created is listed there. For example:
aap-mcp. - Check one of the pod’s logs and verify there are no errors.
7.3. Creating an API token for the Ansible MCP server
Create an API token for your Ansible Automation Platform instance, so you can use it to connect with your preferred AI agent. The AI tool will inherit the user’s permissions for API token-based authentication.
Prerequisites
- Your organization administrator has deployed an Ansible MCP server.
Procedure
-
From the navigation panel, select
. - Select the username for your user profile to configure OAuth 2 tokens.
- Select the Tokens tab. When no tokens are present, the Tokens screen prompts you to add them.
Click Create token, and provide the following details:
Application: Enter the name of the application with which you want to associate your token. Alternatively, you can search for it by clicking Browse. This opens a separate window that enables you to choose from the available options. Select Name from the filter list to filter by name if the list is extensive.
NoteTo create a Personal Access Token (PAT) that is not linked to any application, leave the Application field blank.
- Description: (Optional) Provide a short description for your token.
Scope: (Required) Specify the level of access you want this token to have. The scope of an OAuth 2 token can be set as one of the following:
- Write: Allows requests sent with this token to add, edit, and delete resources in the system.
- Read: Limits actions to read only. The write scope includes the read scope.
- Click Create token. The token information is displayed.
On the token information page that appears, click the Copy icon and save the token for future use.
ImportantThis will be the only time the token is displayed. Therefore, ensure that you save the token for future use.
Verification
You can verify that the application now shows the user with the appropriate token by selecting the Tokens tab on the Application Details page:
-
From the navigation panel, select
. - Select the application you want to verify from the Applications list view.
Select the Tokens tab.
Your token should be displayed in the list of tokens associated with the application you chose.
7.4. Connecting an AI agent to the Ansible MCP server
Use the API token of the Ansible MCP server to connect it with your preferred AI agent, such as Claude, Cursor, or ChatGPT.
Prerequisites
- An Ansible MCP server is deployed on your Ansible Automation Platform 2.6 environment.
- An API token is created for your Ansible MCP server.
Procedure
- Go to the AI tool that you want to connect to the Ansible Automation Platform.
Follow your AI client’s instructions to configure the MCP server settings.
Typically, you must specify the MCP server configurations in the
mcp.jsonfile.When configuring the
mcp.jsonfile, add the Ansible MCP server URL in the following format:<Ansible MCP server URL>/<toolset>/mcpKey:
Ansible MCP server URL = The URL of the Ansible MCP server. For example,
https://api.example.com/.To obtain the Ansible MCP server URL, contact your organization administrator.
-
Toolset = The toolset that you want to connect to. For example,
job_management,inventory_management,system_monitoring,user_management,security_compliance, andplatform_configuration. Token = The API token of the Ansible MCP server.
Use the following format to add details about your Ansible MCP server in the the
mcp.jsonfile:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ImportantUse a concise MCP server name, ideally limited to 20 characters. This is because AI agents combine the MCP server name with the tool name to create a unique identifier, and most AI agents enforce a 64-character limit on this combined identifier.
Verification
Verify that the AI tool successfully connects to the Ansible Automation Platform MCP server using the API token.
In your AI agent’s chat window, enter a prompt like
What MCP tools are available for my Ansible Automation Platform?. The AI agent should return a response with a list of tools that are enabled for the Ansible Automation Platform MCP server.
7.5. Troubleshooting Ansible MCP server errors
This section contains information to help you diagnose and resolve issues with deploying the Ansible MCP server and connecting it to an external AI agent.
7.5.1. API output format rejected with 406 Status Code
Issue: Ansible Automation Platform rejects an API request (for example, retrieving job stdout) with an HTTP 406 status code if the MCP server’s requested output is not in JSON format.
Workaround: To obtain the output in a specific format, instruct your AI tool to use JSON format first. You can then transform the JSON output into your desired format.
7.5.2. User requests rejected with 400 status code
Issue: The Ansible MCP server may reject user requests from the external AI tool with 400 Bad Request status code. This error is encountered when the Ansible Automation Platform uses a self-signed certificate.
Workaround: Configure the Ansible MCP server to ignore certificate errors using the following steps:
-
For container-based installation: Set the value of variable
mcp_ignore_certificate_errorstotrue. For operator-based installation:
Add the
IGNORE_CERTIFICATE_ERRORSsetting to themcp:section of AnsibleAutomationPlatform custom resource in the following format:spec: mcp: extra_settings: - setting: IGNORE_CERTIFICATE_ERRORS value: truespec: mcp: extra_settings: - setting: IGNORE_CERTIFICATE_ERRORS value: trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow
7.5.3. Ansible MCP server permissions are changed post deployment
Issue: If you changed the permissions of the Ansible MCP server after it was created and deployed, you must delete the AnsibleMCPServer custom resource and recreate it.
Workaround: Perform the following steps:
- Navigate to the Ansible Automation Platform portal.
- Under Resources, search for the AnsibleMCPServer custom resource.
-
Select the active AnsibleMCPServer instance. An active AnsibleMCPServer instance is identified by the
-mcpsuffix appended to the Ansible Automation Platform custom resource name. - Select the Settings menu (3-dot menu icon) on the right side of the instance, then click Delete AnsibleMCPServer.
- After the reconciliation process is completed, the existing Ansible MCP server instance is deleted and a new Ansible MCP server instance is created.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}