The slow drift toward the Red Hat Ansible Tower uncovers more and more compatibility issues, so I have to go back and revisit some decisions and make sure that the same code would fit both worlds.
Some six months ago, I posted a note on dynamic Ansible user configuration. The reason I have to do it: an independent set of credentials for the restricted environment, where a username is a derivative from the primary username. The solution works well with the Red Hat Ansible but has failed as a part of the Ansible Tower workflow.
The error message suggested that I have no account nor private keys to access my targets, even though I configured the template with all the appropriate SSH keys and security settings. I haven't dwelt much on that problem, but after a while, my brain came up with the insight: "The user on the Tower machine is not necessarily the same user I use to login Ansible Tower."
Now everything has fallen into place, and with extra variables populated for each job instance. I have fixed the job.
The Ansible engine would try to use tower_user_name variable to calculate new credentials. And if it is not the Ansible Tower job, it will use a username from the controller environment.