Skip to content

controller_roles state invalid error of an organization being required for credential objects #1099

New issue
New issue
Open
Open
controller_roles state invalid error of an organization being required for credential objects#1099
Labels
bugSomething isn't workingmodule-issue
@tenletters10

Description

@tenletters10
tenletters10
opened on May 21, 2025

Summary

When using dispatch to process an controller_roles variable that is granting use and read permissions to a credential that does not have an organiziation set it generates the following error:

Failed to grant role. You cannot grant credential access to a team when the Organization field isn't set, or belongs to a different organization invocation

If you access the UI and go to the credential without an Organization set, under "Team Access" and then "Add roles," you can grant the 'Credential Use' role to a team. Users in that team can use it without any issues.

This indicates that error handling for controller_roles is incorrect and credentials do not require an Organization to be set to grant a team access to use or read on a credential.

I tried a variety combo of roles with controller_roles of just read + use, read, and use, but they all generate the same invalid error.

Issue Type

  • Bug Report

Ansible, Collection, Controller details

ansible-core 2.16
Coming from this ee image - https://catalog.redhat.com/software/containers/ansible-automation-platform-25/ee-minimal-rhel9/650a567e82adff7ec49ffba5

collections added on top of ee image:
  - name: infra.aap_configuration
    version: 3.1.0
  - name: infra.aap_configuration_extended
    version: 1.0.0
  - name: ansible.eda
    version: 2.6.1
  - name: ansible.controller
    version: 4.6.11
  - name: ansible.platform
    version: 2.5.20250326
  - name: ansible.hub
    version: 1.0.0

Controller version 4.6.12
  • ansible installation method: EE

OS / ENVIRONMENT

EE image specified above talking directly to the Controller

Desired Behavior

Role is created for team to grant Use and Read access to the credential that does not have an organiziation set.

Actual Behavior

This error is generated when calling the dispatch role and supplying the following variable:

Failed to grant role. You cannot grant credential access to a team when the Organization field isn't set, or belongs to a different organization invocation

controller_roles:

  • team: Devs
    credentials:
    • Dev Git
    • Dev Container Registry
      roles:
    • read
    • use

GitHub is messing with the example above, but it is yaml content and I have attached a copy it as well

controller_roles.txt

STEPS TO REPRODUCE

Explained above and also explained how in the UI this is allowed to be performed in the product and how to test that.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingmodule-issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions