AWX and Ansible Automation Platform
AWX — and its Red Hat product form, Ansible Automation Platform — is the controller: a web UI and API that runs your playbooks as job templates, with credentials, role-based access, scheduling, surveys, and an audit log layered on top of ansible-core. It is where the work stops happening on a terminal and starts happening as a governed, recorded action behind a button.
This is where Larkspur's deploys move off engineers' laptops. There is a "Deploy Larkspur" job template, a survey that picks the environment, team-scoped permissions over who can launch versus who can edit, and a record of who ran what and when. Push-button automation, but governed instead of ad-hoc — the same playbooks you already wrote, now run from a place that remembers and controls who ran them.
Job Templates
A job template is a saved, parameterized run that binds four things into one launchable unit: a playbook in a project (a git repo), an inventory, a set of credentials, and an execution environment. "Deploy Larkspur" is a job template, and launching it is clicking a button — not remembering an ansible-playbook -i prod.ini site.yml --vault-id ... command line and getting every flag right under pressure. The binding is the value: the playbook, the hosts, the secrets, and the toolchain are decided once and reviewed, not retyped each run.
Surveys
A survey is a form attached to a job template that prompts for inputs and feeds them in as variables. Larkspur's survey asks "which environment?" with a choice of staging or prod, so the one template targets either inventory without anyone editing a command line or risking the wrong -i. This is why one template plus a survey beats two templates — a staging copy and a prod copy drift apart, and a fix that lands in one but not the other is exactly the kind of gap that surfaces at 2am.
Credentials and RBAC
Credentials — SSH keys, vault passwords, cloud tokens — are stored encrypted in the controller and injected at run time, never shown to the user launching the job. Role-based access scopes who can launch, edit, or admin each template separately. Put those together and the on-call engineer can run the prod deploy without ever holding the prod SSH key: they have launch permission on the template, the controller supplies the credential, and the secret never leaves the vault to sit in a human's ~/.ssh. The moment a person holds a credential to run a deploy by hand, that control is gone.
Scheduling and the API
Job templates run on a schedule — a nightly compliance converge, a recurring drift correction — or are triggered through the controller's REST API. The API is how CI pipelines and webhooks launch governed runs: instead of a pipeline running raw ansible-playbook with secrets exported as environment variables, it makes an API call that launches the job template, and the privileged run happens in the controller with its credentials and audit. The next topic builds the whole pipeline on exactly this handoff.
The Audit Trail
Every job records who launched it, with what survey answers, against which inventory, and the full output. "Who deployed prod at 2am and what did it change" becomes a query against the controller, not a Slack archaeology session reconstructing events from half-remembered messages. The audit trail is not a side feature — it is half the reason to run a controller at all, because the difference between automation and governed automation is whether every run is attributable after the fact.
AWX — the upstream open-source project: free, community-supported, fast-moving, and the same core controller engine. Run it to get the controller's capabilities — job templates, surveys, RBAC, credentials, audit — at no license cost.
Ansible Automation Platform — Red Hat's supported product built on that same engine, adding a vendor support contract, certified and supported execution environments, a private Automation Hub for certified collections, and a longer-lived release stream. Buy it when you need vendor support, certified content, and the supported EE and Hub layer. The job-template, survey, RBAC, and credential model is identical in both — the choice is support and certified content, not features.
- Handing engineers raw SSH and vault credentials so they can run deploys from laptops, instead of storing them in the controller with launch-only RBAC — the credential leaves the vault the moment a human holds it.
- Building one job template per environment — a
stagingand a separateprodcopy — instead of one template plus a survey, so the two drift and a fix lands in one but not the other. - Skipping RBAC and giving everyone admin on every template, so anyone can edit the prod deploy's playbook source or inventory binding — the audit log records the change but nothing prevented it.
- Assuming AWX or AAP replaces writing good playbooks — the controller runs your
ansible-corecontent, and a non-idempotent playbook is just as broken when launched from a button as from a terminal. - Treating AWX and AAP as different tools to choose between on capability — they are the same engine, and the real decision is support and certified content, not a feature comparison.
- Store every credential in the controller and grant launch-only RBAC, so engineers can run the prod deploy without ever holding the prod key themselves.
- Model environments with one job template plus a survey variable, not duplicate templates, so
stagingandprodruns share one reviewed playbook binding. - Scope RBAC by team and action — launch versus edit versus admin — so who can change a deploy's source is a separate decision from who can run it.
- Bind every job template to a pinned execution environment, so the controller runs the same frozen toolchain that CI and local
ansible-navigatoruse. - Treat the audit trail as a deliverable, not a byproduct — require survey answers and named launchers so every prod change is attributable after the fact.
Knowledge Check
What does a job template bind together into one launchable unit?
- A playbook in a project, an inventory, credentials, and an execution environment
- A single host, its SSH key, and a one-line shell command to run on it
- A state file, a lock, and the last run's diff for the controller to compare against
- Only the playbook — inventory and credentials are typed in at launch each time
Why does one job template plus a survey beat a separate staging and prod template?
- The survey feeds the environment as a variable, so both runs share one reviewed binding instead of two copies that drift apart
- Surveys run measurably faster than duplicate templates because the controller caches the rendered form and reuses it between launches
- A survey is the only supported way to attach machine credentials to a job template at all
- Duplicate templates for the same playbook are outright forbidden by the controller's RBAC model
How does the controller let an on-call engineer run the prod deploy without holding the prod SSH key?
- Credentials are stored encrypted and injected at run time, and launch-only RBAC lets the engineer trigger the job without ever seeing the key
- The controller emails the engineer a one-time copy of the prod SSH key that stays valid only for the exact duration of that one single deploy run
- The engineer's own laptop SSH key is temporarily promoted to the prod key by the controller for that run
- RBAC disables stored credentials entirely, so the prod deploy simply runs with no authentication against the hosts
What actually distinguishes AWX from Ansible Automation Platform?
- They share the same controller engine; AAP adds vendor support, certified EEs and collections, and a longer-lived release stream
- AWX lacks both job templates and launch-time surveys entirely, which are features that only the paid, supported AAP product provides
- AAP runs on
ansible-corewhile AWX is built on a completely separate, incompatible automation engine underneath - AWX cannot store credentials at all, so role-based access control ends up being an AAP-only capability
You got correct