m1yag1.globus.globus_auth module – Manage Globus Auth resources (projects, clients, and policies)

Note

This module is part of the m1yag1.globus collection (version 0.6.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install m1yag1.globus.

To use it in a playbook, specify: m1yag1.globus.globus_auth.

New in m1yag1.globus 1.0.0

Synopsis

• Create and update Globus Auth projects and OAuth clients

• Manage authentication policies for projects

• Configure project membership and access controls

• Requires manage_projects scope

• NOTE: Deletion of projects and OAuth clients currently requires high-assurance authentication (MFA within 30 minutes) and must be done manually via https://app.globus.org/settings/developers. This is a known issue in Globus Auth that may be resolved in the future.

Parameters

Parameter	Comments
admin_group_ids list / elements=string	List of Globus group IDs for project administrators (project only)
admin_ids list / elements=string	List of Globus identity IDs for project administrators (project only)
auth_method string	Authentication method to use. If not specified, auto-detects based on available credentials. When client_id and client_secret are provided, uses client_credentials. Otherwise falls back to cli (reads tokens from globus-cli storage). Choices: "client_credentials" "cli"
authentication_assurance_timeout integer	Timeout in seconds for authentication assurance (policy only)
client_id string	Globus Auth client ID for client_credentials authentication. Can also be set via the GLOBUS_CLIENT_ID environment variable.
client_secret string	Globus Auth client secret for client_credentials authentication. Can also be set via the GLOBUS_CLIENT_SECRET environment variable.
client_type string	Type of OAuth client to create (client only) Choices: "confidential_client" "public_installed_client" "client_identity" "resource_server" "globus_connect_server" "hybrid_confidential_client_resource_server"
contact_email string	Contact email (project only)
credential_output_file path	Path to save client credentials JSON file (client only)
description string	Description of the resource
domain_constraints_exclude list / elements=string	List of prohibited authentication domains (policy only)
domain_constraints_include list / elements=string	List of allowed authentication domains (policy only)
high_assurance boolean	Require high assurance authentication (policy only) Choices: false ← (default) true
name string / required	Name/identifier for the resource (display_name for projects, display_name for policies)
preselect_idp string	Pre-selected identity provider UUID (client only)
privacy_policy string	URL to privacy policy (client only)
project_id string	Project ID (required for policy resources)
redirect_uris list / elements=string	List of OAuth redirect URIs (client only)
required_idp string	Required identity provider UUID (client only)
resource_id string	ID of existing resource (project_id or policy_id for updates)
resource_type string / required	Type of auth resource to manage Choices: "project" "policy" "client"
scopes list / elements=string	List of scope strings the client is allowed to request (client only)
state string	Desired state of the resource Choices: "present" ← (default) "absent"
terms_and_conditions string	URL to terms and conditions (client only)
visibility string	Client visibility (client only) Choices: "public" "private" ← (default)

Notes

Note

• Authentication is required for all Globus API operations.

• For client_credentials auth, register a confidential client at https://developers.globus.org.

• For cli auth, run globus login first to cache tokens.

• The cli method reads tokens from ~/.globus/cli/storage.db.

• For cli auth with multiple profiles, set GLOBUS_PROFILE environment variable.

• Set GLOBUS_SDK_ENVIRONMENT to sandbox or test for non-production environments.

See Also

See also

Globus Auth Documentation

Official Globus authentication documentation

Globus CLI

Command-line interface for Globus

Examples

# Project Management
- name: Create a Globus Auth project
  globus_auth:
    resource_type: project
    name: "Research Data Project"
    contact_email: "admin@example.org"
    description: "Project for managing research data transfers"
    admin_ids:
      - "ae341a98-d274-11e5-b888-dbae3a8ba545"
    state: present

- name: Update project administrators
  globus_auth:
    resource_type: project
    name: "Research Data Project"
    admin_ids:
      - "ae341a98-d274-11e5-b888-dbae3a8ba545"
      - "b1234567-d274-11e5-b888-dbae3a8ba545"
    admin_group_ids:
      - "c7890abc-d274-11e5-b888-dbae3a8ba545"
    state: present

# NOTE: Project deletion currently requires high-assurance authentication (MFA within 30 min)
# due to a known bug in Globus Auth. This may be resolved in a future release.
# For now, projects must be deleted manually at https://app.globus.org/settings/developers
# state: absent is temporarily not supported for projects

# Policy Management
- name: Create high assurance policy for project
  globus_auth:
    resource_type: policy
    project_id: "abc123-def456-ghi789"
    name: "High Security Policy"
    description: "Requires high assurance authentication"
    high_assurance: true
    authentication_assurance_timeout: 3600
    state: present

- name: Create domain-restricted policy
  globus_auth:
    resource_type: policy
    project_id: "abc123-def456-ghi789"
    name: "University Only Policy"
    description: "Only allow university domains"
    domain_constraints_include:
      - "university.edu"
      - "research.org"
    domain_constraints_exclude:
      - "gmail.com"
    state: present

- name: Delete a policy
  globus_auth:
    resource_type: policy
    project_id: "abc123-def456-ghi789"
    name: "Old Policy"
    state: absent

# Client Management
- name: Create service account (confidential client)
  globus_auth:
    resource_type: client
    name: "Automation Service Account"
    project_id: "abc123-def456-ghi789"
    client_type: "confidential_client"
    redirect_uris:
      - "https://myapp.example.com/callback"
    visibility: "private"
    state: present
  register: service_account
  no_log: true  # Important: credentials contain secrets

- name: Display client credentials (WARNING: Contains secrets!)
  ansible.builtin.debug:
    msg:
      - "Client ID: {{ service_account.client_id }}"
      - "Client Secret: {{ service_account.client_secret }}"
      - "SAVE THESE CREDENTIALS NOW - Secret cannot be retrieved later!"

- name: Create service account with credential file output
  globus_auth:
    resource_type: client
    name: "Automation Service Account"
    project_id: "abc123-def456-ghi789"
    client_type: "confidential_client"
    redirect_uris:
      - "https://myapp.example.com/callback"
    credential_output_file: "/secure/path/client-credentials.json"
    state: present
  register: service_account

- name: Create thick client (public installed client)
  globus_auth:
    resource_type: client
    name: "Desktop Application"
    project_id: "abc123-def456-ghi789"
    client_type: "public_installed_client"
    redirect_uris:
      - "https://auth.globus.org/v2/web/auth-code"
    visibility: "public"
    state: present

- name: Create client identity for automation
  globus_auth:
    resource_type: client
    name: "CI/CD Pipeline"
    project_id: "abc123-def456-ghi789"
    client_type: "client_identity"
    state: present

# NOTE: Client deletion currently requires high-assurance authentication (MFA within 30 min)
# due to a known bug in Globus Auth. This may be resolved in a future release.
# For now, OAuth clients must be deleted manually at https://app.globus.org/settings/developers
# state: absent is temporarily not supported for OAuth clients

# Combined workflow
- name: Create project with policy
  block:
    - name: Create project
      globus_auth:
        resource_type: project
        name: "Secure Research Project"
        contact_email: "admin@university.edu"
        description: "High-security research collaboration"
        admin_ids:
          - "ae341a98-d274-11e5-b888-dbae3a8ba545"
        state: present
      register: project

    - name: Create security policy for project
      globus_auth:
        resource_type: policy
        project_id: "{{ project.resource_id }}"
        name: "Strict Security Policy"
        description: "High assurance with domain restrictions"
        high_assurance: true
        authentication_assurance_timeout: 1800
        domain_constraints_include:
          - "university.edu"
        state: present

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
changed boolean	Whether the resource was changed Returned: always
client_credentials dictionary	Complete client credentials in multiple formats Returned: when resource_type=client and state=present
ansible_env string	Ansible environment variable format Returned: success
client_id string	OAuth client ID Returned: success
client_secret string	OAuth client secret (if applicable) Returned: success
json_file string	Path to saved JSON file (if credential_output_file was specified) Returned: success
shell_export string	Shell export command format Returned: success
client_id string	OAuth client ID (for clients) Returned: when resource_type=client and state=present
client_secret string	OAuth client secret (for confidential clients) Returned: when resource_type=client and state=present and client has secret
name string	Name of the resource Returned: always
project_id string	Associated project ID (for policies and clients) Returned: when resource_type in [policy, client]
resource_id string	ID of the created/managed resource Returned: when state=present
resource_type string	Type of resource (project, policy, or client) Returned: always
warning string	Important warnings about credential management Returned: when resource_type=client and state=present

Authors

• m1yag1

Collection links

• Issue Tracker
• Repository (Sources)