The slow drift toward the Red Hat Ansible Tower uncovers more and more compatibility issues, so I have to go back and revisit some decisions and make sure that the same code would fit both worlds.

Some six months ago, I posted a note on dynamic Ansible user configuration. The reason I have to do it: an independent set of credentials for the restricted environment, where a username is a derivative from the primary username. The solution works well with the Red Hat Ansible but has failed as a part of the Ansible Tower workflow.

The error message suggested that I have no account nor private keys to access my targets, even though I configured the template with all the appropriate SSH keys and security settings. I haven't dwelt much on that problem, but after a while, my brain came up with the insight: "The user on the Tower machine is not necessarily the same user I use to login Ansible Tower."

Now everything has fallen into place, and with extra variables populated for each job instance. I have fixed the job.

       ansible_user: "priv_{{ tower_user_name |default(lookup('env','USER')) }}"
Calculate username for the remote connection

The Ansible engine would try to use tower_user_name variable to calculate new credentials. And if it is not the Ansible Tower job, it will use a username from the controller environment.