Building a custom credential in for Event-Driven Ansible

May 11, 2026

Credentials in rulebooks? Definitely not.

When I first started using rulebooks I noticed a problem right away. What happens if I need credential information? Typically I try to keep my credentials out of vault and in a password manager.

However, with EDA and custom credentials the barrier to bringing credentials in is very low. We’ll cover creating a custom credential that gets called in via extra vars. This is a small but important part of my talk at Red Hat Summit 2026.

Creating the credential in AAP

In AAP, select EDA controller, then Credential Types. Create a new type.

In this example I am creating a set of AWS access keys to consume messages from an SQS queue.

fields:
  - id: aws_access_key_id
    type: string
    label: AWS Access Key ID
  - id: aws_secret_access_key
    type: string
    label: AWS Secret Access Key
    secret: true
  - id: aws_region
    type: string
    label: AWS Region
required:
  - aws_access_key_id
  - aws_secret_access_key
  - aws_region

I’ve marked all fields as mandatory and labeled the secret key as secret which will ensure it is encrypted at rest.

Once this is setup we can add the generated credentials to a credential in AAP.

In Credentials, add a new credential of the new custom type. This will allow us to call it in a rulebook.

Using the credentials in a rulebook

In the rulebook config the credentials need to be added to extra vars similar to below. I prefer to use JSON but YAML also works.

aws_access_key_id: "{{ aws_access_key_id }}"
aws_secret_access_key: "{{ aws_secret_access_key }}"
aws_region: "{{ aws_region }}"

Note: Once the rulebook is saved the extra vars from vault are hidden and disappear from view.

Almost ready, let’s see an example rulebook using the extra vars that were added. The URL is defined here statically but it could also be called in the same method if it’s sensitive or doesn’t include authentication.

- name: Listen for SQS events
  hosts: all
  sources:
    - ansible.eda.aws_sqs_queue:
        region: "{{ aws_region }}"
        access_key: "{{ aws_access_key_id }}"
        secret_key: "{{ aws_secret_access_key }}"
        queue_url: "https://sqs.us-east-1.amazonaws.com/123456789/my-queue"
        delay_seconds: 10

  rules:
    - name: Handle SQS message
      condition: event is defined
      action:
        run_job_template:
          name: MyJobTemplate
          organization: Default

That’s all for now! I hope one day it will be a bit less work to call in already created roles and modules to avoid the use of credentials or vault.

Thanks for reading. Feel free to reach out with questions or feedback.