Practice EX294 Manage inventories and credentials questions with full explanations on every answer.
Start practicing
Manage inventories and credentials — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An administrator needs to store a secret API token in Ansible Automation Controller so that it can be used in job templates without exposing the token in plain text. Which type of credential should be used?
2A team uses Ansible Automation Controller with multiple organizations. Each organization has its own set of machines that require different SSH keys. The administrator wants to ensure that users from one organization cannot use credentials from another organization. What is the best way to achieve this isolation?
3An Ansible playbook uses the `ansible_password` variable to connect to a Windows host. The value is stored in an encrypted Ansible Vault file. Which credential type in Automation Controller would allow the vault password to be supplied at runtime?
4An administrator wants to create a custom credential type to store a third-party API key. The API key must be passed to the playbook as an environment variable `MY_API_KEY`. What is the correct Injector configuration in the custom credential type definition?
5A junior admin is troubleshooting why a job template fails with 'Permission denied' when connecting to a target host. The job template uses a machine credential that appears correct. What is the first thing to check?
6Which TWO of the following are valid methods to supply a credential password in Ansible Automation Controller?
7Which THREE of the following are best practices for managing credentials in Ansible Automation Controller?
8The inventory above is used in a job template in Automation Controller. The job template also has a machine credential assigned that specifies username 'root' and an SSH key. When the job runs against host web1, which username will Ansible use to connect?
9The job template running against host db1 uses a machine credential with an SSH key. The key is correctly configured in Automation Controller. However, the job fails with the error shown. What is the most likely cause?
10A company uses Ansible Automation Controller to manage a mix of Linux and Windows servers. Each server is in a separate inventory group. The Linux servers use SSH keys stored in machine credentials, and the Windows servers use username/password stored in machine credentials. Recently, a new security policy requires that all credentials must be rotated every 90 days. The automation team has 50 Linux servers and 20 Windows servers. They want to minimize manual effort and avoid exposing secrets in plain text during rotation. They currently have a Jenkins pipeline that can run scripts on the controller node. Which approach best meets the requirements?
11A system administrator is managing Ansible Tower and wants to use an Azure Resource Manager credential to provision virtual machines. However, the credential fails authentication with the error '401 Unauthorized'. Which action should the administrator take to resolve the issue?
12An Ansible Tower administrator needs to allow a team of developers to run playbooks against specific inventory groups without allowing them to modify the inventory or credentials. Which approach best satisfies the requirement?
13Which TWO statements about machine credentials in Ansible Tower are correct? (Choose two.)
14Refer to the exhibit. A user runs a playbook that creates hosts and then attempts to use a constructed inventory plugin. However, the constructed inventory does not group hosts by OS distribution. What is the most likely cause?
15A company manages its infrastructure using Ansible Tower. There are two teams: Team Alpha manages web servers in the 'webservers' group, and Team Beta manages database servers in the 'dbservers' group. Both teams need to use the same SSH credential to connect to their respective servers. The credential is stored in Tower as 'shared_ssh_key'. Team Alpha reports that they can launch jobs against the 'webservers' group, but Team Beta gets an error when trying to launch jobs against the 'dbservers' group: 'You do not have permission to use this credential.' Both teams are members of the same organization. The inventory is a single inventory source with separate groups. The credential has been assigned to the organization. What is the most likely cause of Team Beta's issue, and what is the correct solution?
16An administrator wants to use a custom inventory script to dynamically generate hosts in Ansible Tower. Which of the following is a valid approach to manage credentials for accessing the script's API?
17Which TWO of the following are valid methods to manage credentials in Ansible Tower?
18Drag and drop the steps to create and apply a simple Ansible playbook that installs httpd into the correct order.
19Drag and drop the steps to configure a systemd service to start automatically at boot in the correct order.
20Match each Linux file system path to its typical content.
21Match each storage concept to its description.
22A systems administrator needs to use a different SSH private key for a group of hosts in an Ansible inventory. Which inventory variable should be set at the group level?
23An Ansible Tower/AWX administrator wants to prevent users from viewing credential passwords in plain text. Which credential type should be used for SSH passwords?
24A DevOps engineer is designing a dynamic inventory script for a cloud provider. The script must return host variables in a specific JSON format. According to Ansible best practices, which top-level keys should be present in the script output?
25An Ansible administrator wants to use an encrypted vault file to store sensitive variables. Which command creates a new vault file and prompts for a password?
26A team uses Ansible AWX and needs to run a job template that uses a custom credential of type 'OpenStack' to authenticate to an OpenStack cloud. Which field in the job template is used to specify this credential?
27An Ansible playbook uses the `ansible_user` variable at the host level, but the SSH connection still uses root. Which configuration setting could override the playbook's user setting?
28A junior admin wants to remove a credential from Ansible Tower. Which role-based access control permission is required to delete a credential?
29An Ansible inventory file uses the `gce.py` dynamic inventory script for Google Cloud. After running the script, the inventory contains hosts but no variables. What is the most likely cause?
30An Ansible playbook uses a vault-encrypted variable `db_password` from a vars file. The playbook fails with 'Decryption failed' error. Which of the following could be the cause?
31A team is configuring an inventory to manage Windows hosts via Ansible. Which TWO inventory variables must be defined for each host?
32An Ansible Tower administrator needs to create a custom credential type that uses an SSH private key and a username. Which THREE components should be defined in the credential type's configuration?
33An Ansible playbook uses the `fetch` module to retrieve files from managed hosts. Which TWO inventory variables are commonly used to construct unique destination paths for each host?
34Refer to the exhibit. A playbook runs against the `web` group. What username will be used for host web2?
35Refer to the exhibit. An Ansible playbook targeting server1 fails with a permissions error when connecting. The administrator notices the SSH private key is being used. Which change will likely fix the issue?
36Refer to the exhibit. A playbook includes this vars file and runs `systemctl restart httpd`. The playbook fails because it cannot decrypt the vault. Which of the following is the most likely cause?
37A company uses a static inventory file for Ansible Tower. They need to add a new host to an existing group. Which action should they take?
38An administrator needs to store a database password securely for use in playbooks. Which credential type should they create?
39An organization has multiple inventories for different environments. They want to reuse a set of hosts across inventories without duplicating host definitions. Which feature should they use?
40A playbook requires a secret token that changes every hour. The token is stored in a password vault. Which setting should be used to have Tower retrieve the token at runtime?
41Ansible Tower is configured with a dynamic inventory source from VMware vCenter. The playbook needs to limit execution to hosts with a specific custom attribute. How should this be achieved?
42A team is using Ansible Tower with multiple credentials per job template. The playbook uses the 'become' method to escalate privileges on remote hosts. The become password is different from the SSH password. Which configuration ensures the become password is used?
43An organization uses multiple Satellite servers for inventory. They want to combine data from all satellites into one unified inventory in Ansible Tower. Which approach is best?
44A job template uses a custom credential type that injects environment variables for a third-party API. The credential input defines a field 'api_key'. The playbook uses {{ api_key }} but it's empty. What is the most likely cause?
45An Ansible Tower administrator notices that a job template using a dynamic inventory source from AWS EC2 is not updating when new instances are launched. The inventory source is set to update on launch. What is the most likely cause?
46Which TWO actions are valid for managing inventory group membership in Ansible Tower?
47Which THREE are valid credential types in Ansible Tower?
48Which THREE considerations are important when using dynamic inventories in Ansible Tower?
49An Ansible Tower administrator wants to allow a team to run playbooks against a set of production web servers without giving them direct SSH access to the hosts. Which inventory configuration approach should be used?
50A sysadmin receives an error when running a job template: 'ERROR! the role 'common' was not found in the specified roles path'. The role exists in a source control repository referenced in the project. What is the most likely cause?
51An organization uses multiple Ansible Automation Platform clusters in different geographies. Each cluster has its own set of credentials for different environments. An administrator needs to ensure that job templates launched in the EMEA cluster can only use EMEA-specific credentials, while the APAC cluster uses APAC-specific credentials, without duplicating job template definitions. What is the best approach?
52A junior admin created a custom credential type for a third-party API. When running a job that uses this credential, the job fails with 'type object 'Credentials' has no attribute' error. What is the most likely issue?
53An administrator needs to restrict access to an inventory so that only members of the 'WebTeam' can update its host variables and group memberships. Other users should be able to view the inventory but not modify it. Which role-based access control (RBAC) configuration should be applied?
54During a playbook run, the task 'debug: msg={{ ansible_facts.distribution }}' outputs 'CentOS' for a host. However, the host's inventory variable 'distribution' is set to 'RedHat'. The administrator expected the inventory variable to override the fact. What is the most likely cause of this behavior?
55An administrator needs to provide a set of credentials to a job template that requires a machine credential for SSH and a source control credential for the project. What is the correct way to associate these credentials?
56An inventory is sourced from an external dynamic inventory plugin. The plugin returns hosts with groups including 'webservers' and 'dbservers'. An administrator wants to add a custom variable to all hosts in the 'webservers' group without modifying the plugin script. How can this be achieved?
57An organization uses an external secrets management system (e.g., HashiCorp Vault) to store sensitive credentials. They want to integrate it with Ansible Automation Platform so that job templates automatically retrieve credentials from Vault without storing them in the AAP database. Which approach is supported?
58Which TWO statements about inventory groups in Ansible Automation Platform are correct? (Choose exactly two.)
59Which THREE considerations are important when designing a credential strategy in Ansible Automation Platform? (Choose exactly three.)
60Which THREE actions can an administrator perform using the inventory management features in Ansible Automation Platform? (Choose exactly three.)
61An Ansible Tower administrator needs to add a single host to an existing inventory. The host has a static IP address and requires SSH access with a specific username and private key. Which of the following is the correct approach?
62A system administrator maintains a dynamic inventory script that queries a cloud provider API to build host lists. The script returns valid JSON, but after importing into Ansible Tower, the inventory shows zero hosts. The script is executable and placed in the expected project directory. What is the most likely cause?
63An organization has multiple Ansible Tower projects that use different cloud providers. The security team mandates that cloud API credentials stored in Tower must have restricted access and be reusable across job templates without exposing the secret key. Which credential type and organization strategy best meets these requirements?
64A team uses a single Ansible Tower inventory called 'Production' containing hosts for multiple environments (dev, stage, prod). They want to apply different variables to hosts based on environment. Which inventory structure meets this requirement with minimal administrative overhead?
65Which TWO methods can be used to limit the hosts that a job template runs against when launching a job? (Choose exactly two.)
66Which THREE of the following are valid ways to define host variables in an Ansible inventory? (Choose exactly three.)
67Your organization uses Ansible Tower to manage a growing number of Linux servers. Currently, there is a single inventory called 'All Servers' that contains all hosts. A new project requires that certain sensitive variables (e.g., API keys) be stored securely and not exposed in job logs. The security team also wants to limit which users can use these credentials. You have been asked to implement a solution. After evaluating, you plan to create a custom credential type with a 'password' field for the API key and assign it to the job template. However, during a test run, the API key is still visible in the job output. What is the most likely reason?
68You are an Ansible Tower administrator for a company that uses a dynamic inventory script to pull hosts from AWS. The script has been working for months, but after a recent security update, the job template that uses this inventory fails with the error: 'ERROR! Unable to parse /path/to/inventory/script.py as an inventory source'. The script is executable and the path is correct. What is the most likely cause?
69Your team manages a large Ansible Tower environment with multiple organizations. Each organization has its own projects, inventories, and job templates. You need to create a set of cloud credentials (AWS access key) that can be used by any job template in any organization, but you want to restrict modification of the credential to only a few administrators. What is the best way to achieve this while maintaining flexibility?
70An Ansible Tower administrator notices that a job template fails intermittently with a 'Host unreachable' error for a specific group of servers. The inventory is static and the host entries have correct IPs. The credential used for SSH is a machine credential with a username and password, and it works for other hosts. Upon checking the job output, the error occurs during the 'Gathering Facts' step. The SSH service on these servers is running and reachable from the Tower node. What is the most likely cause?
71As an Ansible Tower administrator, you are tasked with setting up a job template that interacts with multiple cloud providers. The job template uses a custom credential type that includes two fields: 'api_token' (type password) and 'region' (type text). During a test run, the job fails with an error that the 'region' variable is not defined in the playbook. The playbook references {{ region }} and {{ api_token }}. You verified that the credential is assigned to the job template and the values are populated. What is the most likely issue?
72You manage an Ansible Tower instance that has multiple inventories synced from different sources (static, dynamic cloud, and satellite). Recently, a job template that uses an inventory synced from Red Hat Satellite fails with 'No hosts matched' even though hosts exist in Satellite. The inventory sync job runs successfully and shows hosts populated in Tower. The job template uses a limit field set to '*' and there are no tags or other filters. The playbook is simple: 'hosts: all'. What is the most likely cause?
73An administrator is configuring Ansible Tower for a multi-environment deployment. The team has separate Azure service principals for dev, test, and prod, and uses Ansible Vault to encrypt sensitive variables. Which TWO configuration practices ensure secure credential management and clear inventory separation?
74What is the most likely cause of the failure?
75An administrator is managing an Ansible Automation Platform deployment that runs job templates against a dynamic inventory sourced from VMware vCenter. The administrator updated the vCenter credentials in Tower after a password rotation. However, subsequent inventory syncs continue to fail with authentication errors. The administrator has confirmed that the new credentials work when tested directly on the controller node using the 'govc' CLI tool. The inventory source is configured to use the updated credential and the update_on_launch flag is set to true. Which action should the administrator take to resolve the issue?
The Manage inventories and credentials domain covers the key concepts tested in this area of the EX294 exam blueprint published by Red Hat. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all EX294 domains — no account required.
The Courseiva EX294 question bank contains 75 questions in the Manage inventories and credentials domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Manage inventories and credentials domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included