cloudera.cloud.iam_workload_auth_token module – Generate authentication token for CDP workload APIs

Note

This module is part of the cloudera.cloud collection (version 3.1.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cloudera.cloud.

To use it in a playbook, specify: cloudera.cloud.iam_workload_auth_token.

New in cloudera.cloud 3.2.0

Synopsis

  • Generates an authentication token which is required for sending requests to workload APIs.

  • The token can be used to authenticate API calls to workload services like Data Engineering (DE), DataFlow (DF), or Operational Database (OPDB).

Parameters

Parameter

Comments

access_key

string

If provided, the Cloudera on cloud API will use this value as its access key.

If not provided, the API will attempt to use the value from the environment variable CDP_ACCESS_KEY_ID.

Required if private_key is provided.

Mutually exclusive with credentials_path.

credentials_path

string

If provided, the Cloudera on cloud API will use this value as its credentials path.

If not provided, the API will attempt to use the value from the environment variable CDP_CREDENTIALS_PATH.

Default: "~/.cdp/credentials"

debug

aliases: debug_endpoints

boolean

If true, the module will capture the Cloudera on cloud HTTP log and return it in the sdk_out and sdk_out_lines fields.

Choices:

  • false ← (default)

  • true

endpoint

aliases: endpoint_url, url

string

The Cloudera on cloud API endpoint to use.

Mutually exclusive with endpoint_region.

endpoint_region

aliases: cdp_endpoint_region, cdp_region, region

string

Specify the Cloudera on cloud API endpoint region.

See Cloudera Control Plane regions for more information.

If not provided, the API will attempt to use the value from the environment variable CDP_REGION.

default is an alias for the us-west-1 region.

Mutually exclusive with endpoint.

Choices:

  • "default"

  • "us-west-1" ← (default)

  • "eu-1"

  • "ap-1"

endpoint_tls

aliases: verify_endpoint_tls, verify_tls, verify_api_tls

boolean

Verify the TLS certificates for the Cloudera on cloud API endpoint.

Choices:

  • false

  • true ← (default)

environment_crn

aliases: env_crn

string

The environment CRN, required by DF workloads.

This should be the CRN of the CDP environment where the DataFlow service is running.

exclude_groups

boolean

Whether to exclude the ‘groups’ claim from the token.

Choices:

  • false ← (default)

  • true

http_agent

aliases: agent_header

string

The HTTP user agent to use for Cloudera on cloud API requests.

Default: "cloudera.cloud"

private_key

string

If provided, the Cloudera on cloud API will use this value as its private key.

If not provided, the API will attempt to use the value from the environment variable CDP_PRIVATE_KEY.

Required if access_key is provided.

profile

string

If provided, the Cloudera on cloud API will use this value as its profile.

If not provided, the API will attempt to use the value from the environment variable CDP_PROFILE.

Default: "default"

strict

aliases: strict_errors

boolean

Legacy CDPy SDK error handling.

Choices:

  • false ← (default)

  • true

workload_name

aliases: workload

string / required

The workload name for which to generate the authentication token.

Must be one of DE (Data Engineering), DF (DataFlow), or OPDB (Operational Database).

Choices:

  • "DE"

  • "DF"

  • "OPDB"

Examples

# Note: These examples do not set authentication details.

- name: Generate workload auth token for Data Engineering
  cloudera.cloud.iam_workload_auth_token:
    workload_name: DE

- name: Generate workload auth token for Operational Database
  cloudera.cloud.iam_workload_auth_token:
    workload_name: OPDB

- name: Generate workload auth token for DataFlow with environment
  cloudera.cloud.iam_workload_auth_token:
    workload_name: DF
    environment_crn: crn:cdp:environments:us-west-1:123456-8867-4357-8524-123465:environment:61eb5b97-226a-4be7-b56e-78d4e5d8c7e3

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

sdk_out

string

Returns the captured API HTTP log.

Returned: when supported

sdk_out_lines

list / elements=string

Returns a list of each line of the captured API HTTP log.

Returned: when supported

workload_auth_token

dictionary

The information about the generated workload authentication token

Returned: always

endpoint_url

string

The workload endpoint URL where the token should be used.

Returned: when workload_name is DF

Sample: "https://service.us-west-1.workload.cloudera.site/api"

expire_at

string

The date and time when the token will expire.

Returned: on success

Sample: "2026-01-22T14:30:00.000Z"

token

string

The authentication token to use for workload API calls.

Returned: on success

Sample: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."

Authors

  • Ronald Suplina (@rsuplina)