What Is AWX? Complete Guide to Ansible AWX (Open-Source Tower Alternative)

What Is AWX?

AWX is the open-source upstream project for Red Hat Ansible Automation Platform Controller (formerly Ansible Tower). It provides a web-based UI, REST API, and task engine for Ansible automation at scale.

I'm Luca Berton, and in this comprehensive guide I'll cover everything you need to know about AWX.

See also: AWX Behind Reverse Proxy: Nginx, Traefik, Caddy & Apache Setup Guide

AWX vs Ansible Tower vs Ansible Automation Platform

| Feature | AWX | Ansible Tower | AAP Controller | |---------|-----|---------------|----------------| | License | Apache 2.0 (free) | Commercial (Red Hat) | Commercial (Red Hat) | | Support | Community only | Red Hat support | Red Hat support | | Updates | Frequent releases | Stable releases | Stable releases | | Certifications | None | FIPS, SOC2 | FIPS, SOC2, FedRAMP | | Use case | Dev/test, small teams | Production | Enterprise production |

AWX is to Ansible Automation Platform what Fedora is to RHEL — the community upstream where features are developed first.

Key Features of AWX

1. Web-Based Dashboard

AWX provides a graphical interface for: • Running and scheduling playbooks • Viewing job history and output • Managing inventories and credentials • Monitoring automation status

2. Role-Based Access Control (RBAC)

• Define users, teams, and organizations • Granular permissions per project, inventory, and job template • LDAP/SAML/OAuth2 integration for SSO

3. Job Templates

Job templates wrap playbooks with: • Inventory selection • Credential management • Variable prompts • Survey forms for self-service

4. Workflow Templates

Chain multiple job templates into workflows: • Conditional branching (on success/failure) • Approval nodes • Parallel execution • Notification integration

5. REST API

Full API access for integration:

# List job templates
curl -u admin:password https://awx.example.com/api/v2/job_templates/
# Launch a job
curl -X POST -u admin:password \
  https://awx.example.com/api/v2/job_templates/1/launch/

6. Inventory Management

• Static inventories via UI • Dynamic inventories from cloud providers (AWS, Azure, GCP, VMware) • Smart inventories with filters • Inventory sources with sync schedules

7. Credential Management

Securely store and manage: • SSH keys and passwords • Cloud provider credentials (AWS, Azure, GCP) • SCM credentials (Git tokens) • Vault passwords • Custom credential types

See also: AWX vs Ansible Tower vs AAP: Key Differences Explained (2026)

Installing AWX

Prerequisites

• Kubernetes cluster (Minikube, K3s, or full cluster) • kubectl configured • helm (optional)

Install with AWX Operator (Recommended)

# Install AWX Operator
kubectl apply -f https://raw.githubusercontent.com/ansible/awx-operator/main/deploy/awx-operator.yaml
# Create AWX instance
cat <<EOF | kubectl apply -f -
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx
spec:
  service_type: NodePort
EOF
# Get admin password
kubectl get secret awx-admin-password -o jsonpath="{.data.password}" | base64 --decode
# Access UI
kubectl port-forward svc/awx-service 8080:80

System Requirements

| Component | Minimum | Recommended | |-----------|---------|-------------| | CPU | 2 cores | 4 cores | | Memory | 4 GB | 8 GB | | Storage | 20 GB | 40 GB | | Kubernetes | 1.22+ | 1.26+ |

AWX Architecture

┌─────────────────────────────────────┐
│            AWX Web UI               │
├─────────────────────────────────────┤
│          REST API (nginx)           │
├──────────┬──────────┬───────────────┤
│  Task    │  Web     │  Redis        │
│  Engine  │  Server  │  (message     │
│ (celery) │ (Django) │   broker)     │
├──────────┴──────────┴───────────────┤
│         PostgreSQL Database         │
└─────────────────────────────────────┘

See also: Ansible London Meetup 2024 Recap: Highlights and Insights

Creating Your First Job Template

Add a Project (SCM source with your playbooks) Add an Inventory (target hosts) Add Credentials (SSH key or password) Create Job Template combining project + inventory + credentials Launch the job template

Workflows Example

[Update packages] ──success──▶ [Deploy app] ──success──▶ [Run tests]
                                     │
                                  failure
                                     │
                                     ▼
                              [Rollback] ──▶ [Notify team]

AWX Best Practices

Use SCM-based projects — Keep playbooks in Git, not uploaded manually Separate credentials — Never hardcode secrets in playbooks Use organizations — Isolate teams and projects Schedule inventory syncs — Keep dynamic inventories fresh Enable logging — Ship logs to ELK/Splunk for auditing Regular backups — Back up PostgreSQL database Use execution environments — Containerized Ansible with consistent dependencies

Scaling AWX

For larger deployments: • Horizontal scaling — Run multiple task pods • External PostgreSQL — Dedicated database server • External Redis — Clustered message broker • Resource limits — Set CPU/memory limits per container • Persistent storage — Use PVCs for project and job data

FAQ

Is AWX free to use in production?

Yes. AWX is Apache 2.0 licensed. However, Red Hat doesn't provide support for AWX — for supported enterprise use, consider Ansible Automation Platform.

What is the difference between AWX and Ansible Tower?

AWX is the open-source upstream. Ansible Tower was the commercial downstream product (now renamed to Ansible Automation Platform Controller). Tower/AAP gets stable, tested releases with support; AWX gets features first but releases more frequently.

Can AWX replace Ansible CLI?

AWX adds a UI and API layer on top of Ansible. You can still use the CLI alongside AWX. AWX is ideal for team collaboration, scheduling, and access control.

How do I upgrade AWX?

Since AWX runs on Kubernetes via the operator, upgrades are done by updating the operator version and the AWX custom resource.

Does AWX support Event-Driven Ansible?

EDA is a separate component in AAP. AWX focuses on the Controller functionality. For event-driven automation, consider AAP or run EDA controller separately.

Conclusion

AWX brings enterprise-grade features to Ansible automation — for free. It's ideal for teams that need a UI, RBAC, scheduling, and API access for their Ansible workflows.

For more Ansible tutorials, visit AnsiblePilot.

Related Articles

• configuration files via Ansible template • the Ansible Vault walkthrough • when expressions and Jinja2 in Ansible • Ansible inventory complete reference • EC2 provisioning with Ansible

Migrating from Ansible Tower to AWX

If your organization is moving from Ansible Tower to AWX:

Export Tower Data

# Export inventory
tower-cli inventory list --format json > inventories.json
# Export job templates
tower-cli job_template list --format json > templates.json
# Export credentials (encrypted)
tower-cli credential list --format json > credentials.json

Key Migration Steps

Deploy AWX on Kubernetes using the AWX Operator Recreate organizations and teams — AWX uses the same RBAC model Import inventories — Static inventories can be imported via API; dynamic inventory sources need reconfiguration Reconfigure SCM projects — Point to the same Git repositories Recreate job templates — Map to imported inventories and credentials Test workflow templates — Rebuild workflow logic Update API integrations — AWX API is largely compatible with Tower API

API Compatibility

AWX and Tower share the same API structure (/api/v2/). Most integrations work with minimal changes — update the base URL and credentials.

Integrating AWX with CI/CD Pipelines

Jenkins Integration

// Jenkinsfile - trigger AWX job
pipeline {
    stages {
        stage('Deploy') {
            steps {
                httpRequest(
                    url: "https://awx.example.com/api/v2/job_templates/5/launch/",
                    httpMode: 'POST',
                    authentication: 'awx-credentials',
                    contentType: 'APPLICATION_JSON',
                    requestBody: '{"extra_vars": {"version": "${BUILD_NUMBER}"}}'
                )
            }
        }
    }
}

GitLab CI Integration

# .gitlab-ci.yml
deploy:
  stage: deploy
  script:
    - |
      curl -X POST \
        -H "Authorization: Bearer $AWX_TOKEN" \
        -H "Content-Type: application/json" \
        -d '{"extra_vars": {"app_version": "'$CI_COMMIT_TAG'"}}' \
        "$AWX_URL/api/v2/job_templates/5/launch/"

GitHub Actions Integration

# .github/workflows/deploy.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger AWX deployment
        run: |
          curl -X POST \
            -H "Authorization: Bearer ${{ secrets.AWX_TOKEN }}" \
            -H "Content-Type: application/json" \
            -d '{"extra_vars": {"version": "${{ github.ref_name }}"}}' \
            "${{ secrets.AWX_URL }}/api/v2/job_templates/5/launch/"

AWX Backup and Disaster Recovery

Database Backup

# Backup PostgreSQL database
kubectl exec -it awx-postgres-0 -- pg_dump -U awx awx > awx-backup.sql
# Schedule regular backups
apiVersion: batch/v1
kind: CronJob
metadata:
  name: awx-backup
spec:
  schedule: "0 2 * * *"  # Daily at 2 AM
  jobTemplate:
    spec:
      template:
        spec:
          containers:
            - name: backup
              image: postgres:15
              command:
                - /bin/sh
                - -c
                - pg_dump -h awx-postgres -U awx awx | gzip > /backup/awx-$(date +%Y%m%d).sql.gz

Restore from Backup

# Restore database
kubectl exec -it awx-postgres-0 -- psql -U awx awx < awx-backup.sql
# Restart AWX pods after restore
kubectl rollout restart deployment awx-web
kubectl rollout restart deployment awx-task

AWX Notifications

Configure notifications for job status:

Slack Notification

Create a Slack webhook URL In AWX: Notifications → Add → Slack Enter webhook URL and channel Attach to job templates (start/success/failure)

Email Notification

# AWX Notification Template (Email)
Type: Email
Host: smtp.example.com
Port: 587
Username: alerts@example.com
Recipients: team@example.com

Webhook Notification

# Generic webhook for custom integrations
Type: Webhook
URL: https://hooks.example.com/awx-events
HTTP Method: POST
Headers:
  Content-Type: application/json
  Authorization: Bearer {{ token }}

Monitoring AWX Performance

Key Metrics to Track

• Job queue depth — Jobs waiting to execute • Task pod CPU/memory — Celery worker resource usage • Database connections — PostgreSQL connection pool • API response times — Web server performance • Failed job rate — Track automation reliability

Prometheus Integration

# ServiceMonitor for AWX metrics
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: awx-metrics
spec:
  selector:
    matchLabels:
      app: awx
  endpoints:
    - port: http
      path: /api/v2/metrics/
      interval: 30s

AWX Execution Environments

AWX uses Execution Environments (EEs) — container images with Ansible and dependencies:

Default EE

AWX ships with quay.io/ansible/awx-ee:latest which includes: • ansible-core • Common collections (community.general, ansible.posix) • Python libraries for cloud modules

Custom EE

# execution-environment.yml
---
version: 3
dependencies:
  galaxy:
    collections:
      - name: amazon.aws
        version: ">=7.0.0"
      - name: community.docker
      - name: kubernetes.core
  python:
    - boto3>=1.28.0
    - docker>=6.0.0
    - kubernetes>=27.0.0
  system:
    - gcc
    - python3-devel
images:
  base_image:
    name: quay.io/ansible/ansible-runner:latest

Build and push:

ansible-builder build --tag my-org/custom-ee:1.0
podman push my-org/custom-ee:1.0 registry.example.com/custom-ee:1.0

AWX Security Hardening

Network Security

• TLS termination — Use Ingress with TLS certificate • Network policies — Restrict pod-to-pod communication • Firewall rules — Only expose ports 80/443

Authentication

• LDAP/AD integration — Centralized user management • SAML SSO — Enterprise single sign-on • OAuth2 tokens — API access with token expiry • 2FA — Enable two-factor authentication

Credential Security

• External credential lookups — HashiCorp Vault, CyberArk, Azure Key Vault • Credential rotation — Regular password and key rotation • Audit logging — Track who accessed what credentials

# AWX with HashiCorp Vault credential plugin
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx
spec:
  extra_settings:
    - setting: AWX_VAULT_CREDENTIAL_PLUGIN_ENABLED
      value: "true"