Ansible Automation Architect @ Red Hat

1 minute read

While reading the Automation execution API overview doc, I noticed that beside OAuth 2 token, and basic auth with username and password, we can also use gateway session ID cookie.

Here is a quick summary of steps using CURL and shell script.

Get the CSRF Token

Hitting the login page with curl

curl -s -c - https://$AAP_HOSTNAME/api/gateway/v1/login/

will generate the csrfToken somewhere in the output like

...
</div>

      <script type="application/json" id="drf_csrf">
        {
          "csrfHeaderName": "X-CSRFToken",
          "csrfToken": "eC1zNXSLZHTE6xqu9xwC6TU57HS91b8uDAfwVsac6Uaonmi31D4cB8tFcPcqzGwn"
        }
      </script>
      <script src="/static/rest_framework/js/jquery-3.7.1.min.js"></script>
      <script src="/static/rest_framework/js/ajax-form.js"></script>
...

Using the csrfToken, login with username and password

curl -s -X POST -D - -H 'Content-Type: application/x-www-form-urlencoded' \
--referer https://$AAP_HOSTNAME/api/gateway/v1/login/ \
-H "X-CSRFToken: $CSRFTOKEN" \
--data "username=$AAP_USERNAME&password=$AAP_PASSWORD" \
--cookie "csrftoken=$CSRFTOKEN" \
https://$AAP_HOSTNAME/api/gateway/v1/login/

Check the header output of the response and look for gateway_sessionid cookie

HTTP/1.1 302 Found
server: envoy
date: Mon, 21 Jul 2025 21:41:23 GMT
content-type: text/html; charset=utf-8
content-length: 0
location: /api/gateway/v1/
expires: Mon, 21 Jul 2025 21:41:23 GMT
cache-control: max-age=0, no-cache, no-store, must-revalidate, private
vary: Cookie
x-frame-options: DENY
x-content-type-options: nosniff
referrer-policy: same-origin
cross-origin-opener-policy: same-origin
set-cookie: csrftoken=CoVFnyrQg4QZDthOpsqmIyUNJ7W2JBvJ; expires=Mon, 20 Jul 2026 21:41:23 GMT; Max-Age=31449600; Path=/; SameSite=Lax; Secure
set-cookie: gateway_sessionid=9tltx97vwynzpdw0xbohp2vtwo2suvbu; expires=Mon, 21 Jul 2025 21:56:23 GMT; HttpOnly; Max-Age=900; Path=/; SameSite=Lax; Secure
strict-transport-security: max-age=63072000
x-content-type-options: nosniff
x-envoy-upstream-service-time: 260

Now we can access other APIs using this gateway_sessionid cookie. For example, to check the status

curl -X GET -H 'Cookie: gateway_sessionid=9tltx97vwynzpdw0xbohp2vtwo2suvbu;'  https://$AAP_HOSTNAME/api/gateway/v1/status/

Note

  • No OAuth2 token will be generated under the authenticated user
  • The session ID expiration is controlled by Settings -> Platform gateway -> Session cookie age

Complete shell script

AAP_HOSTNAME=hostname
AAP_USERNAME=username
AAP_PASSWORD=password

CSRF_TOKEN=$(curl -s -c - https://$AAP_HOSTNAME/api/gateway/v1/login/ | awk '/<script type="application\/json" id="drf_csrf">/{flag=1; next} /<\/script>/{flag=0} flag' | jq .csrfToken)

SESSIONID=$(curl -s -X POST -D - -H 'Content-Type: application/x-www-form-urlencoded' \
--referer https://$AAP_HOSTNAME/api/gateway/v1/login/ \
-H "X-CSRFToken: $CSRFTOKEN" \
--data "username=$AAP_USERNAME&password=$AAP_PASSWORD" \
--cookie "csrftoken=$CSRFTOKEN" \
https://$AAP_HOSTNAME/api/gateway/v1/login/ | awk '/gateway_sessionid/ {print $2}')

curl -X GET -H "Cookie: $SESSIONID"  https://$AAP_HOSTNAME/api/gateway/v1/status/ | jq .

Leave a comment

You may also enjoy

Using HashiCorp Vault Signed SSH with AAP

1 minute read

In this post Using signed SSH certificate in AAP, we sign the the SSH key on command line before we create the AAP machine credential. In this article, we w...

Using Datadog as External Logging for AAP

1 minute read

If you want to integrate Datadog logging directly with the playbooks or projects, check out this article KB3982961 and Datadog callback plugin

Some useful examples of using map

less than 1 minute read

Apped some string to a list of string vars: file_name: - 'my_file' - 'some_other_file' tasks: - name: List all similar files ...