OIDC Provider to Prove Attributes of Jobs to 3rd Parties

[freddierice]

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

New Feature

Feature Summary

I would like a way for an ansible job created by AWX to prove to 3rd party platforms its attributes, such as its

• job name
• the actor / cronjob that launched the job
• target hostname
• starting timestamp

If this were in place, I could set hashicorp vault to trust AWX without sharing app roles for every job and instead create those policies inside of vault.

Github has something similar for github actions:
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

Select the relevant components

• UI
• API
• Docs
• Collection
• CLI
• Other

Steps to reproduce

Building in an OIDC provider will allow jobs to be able to authenticate to 3rd parties without hardcoded secrets per job/role/workflow.

Current results

not implemented. secrets are hardcoded

Sugested feature result

The result to an ansible workflow would be

1. an environment variable in the running job who contents are a signed JWT which
2. can be verified by AWX and
3. has useful attributes (issue time, job name, hostname, etc)

Additional information

I think there are 3 components here:

1. OIDC Provider (could be pulled in from https://django-oidc-provider.readthedocs.io/en/master/)
2. At what step should the JWT be injected? It needs to be close to "run()" because it needs all the attributes.
3. Configuration (how do we initialize the server secret? where does it go? how is it rolled? how should job specify that it wants a JWT?)