Skip to content

AAP-62657 Implement logic to extract and populate JWT claims from Controller Jobs #16259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
melissalkelly wants to merge 4 commits into
base: devel
Choose a base branch
from
Open

AAP-62657 Implement logic to extract and populate JWT claims from Controller Jobs #16259

melissalkelly wants to merge 4 commits into from

Conversation

@melissalkelly
Copy link
Member

@melissalkelly melissalkelly commented Jan 30, 2026

AAP-62657

What is being changed?

Adds populate_claims_for_workload() function to awx/main/tasks/jobs.py:

  • Extracts 21 JWT claims - Populates all claims defined in AutomationControllerJobScope
    from django-ansible-base
  • Uses DAB constants - References claim names via AutomationControllerJobScope.CLAIM_* for
    consistency with Gateway
  • Handles null/missing fields - Omits claims when workload attributes are null or empty
    strings
  • Comprehensive tests - Includes 4 parametrized test cases covering complete jobs, minimal
    jobs, empty strings, and edge cases

Why is this change needed?

This function is the Controller-side implementation for OIDC workload identity claim population.
While the scope is defined in django-ansible-base (AAP-62105) and validated by Gateway
(AAP-62534), Controller needs to provide the actual job metadata.

The function will be called from RunJob.build_jwt() (to be implemented in AAP-62693) to:

  • Extract job metadata into the standardized claim format
  • Pass claims to the Workload Identity Client
  • Enable Gateway to issue signed identity tokens for running jobs

How does this change address the issue?

  • All 21 claims populated
  • Null handling implemented
  • Tests verify behavior

Notes

This function is not yet called - it will be integrated when RunJob.build_jwt() is
implemented in AAP-62693. The function signature and behavior are complete and tested, ready for
integration.

Related Tickets

  • AAP-62657 (this ticket) - Implement claim population logic
  • AAP-62693 - Integrate Workload Identity Client to request JWTs on job launch (will call
    this function)
  • AAP-62105 - Define AutomationControllerJobScope in django-ansible-base
  • AAP-62534 - Gateway validates claims against scope
ISSUE TYPE
  • New or Enhanced Feature
COMPONENT NAME
  • Other
@melissalkelly melissalkelly changed the title Aap 62657 Jan 30, 2026
@melissalkelly
Copy link
Member Author

melissalkelly commented Jan 30, 2026
edited
Loading

CI is failing with ModuleNotFoundError: No module named 'ansible_base.lib.workload_identity'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

community component:api

1 participant

@melissalkelly