CCNA Deploy Ansible Automation Platform Questions

42 questions · Deploy Ansible Automation Platform · All types, answers revealed

1
Multi-Selecteasy

Which TWO statements are true regarding the deployment of Ansible Automation Platform in a highly available configuration?

Select 2 answers
A.The automation hub requires an external PostgreSQL database to store collections and execution environments.
B.Execution nodes must have direct network access to the automation controller database.
C.The automation controller requires a PostgreSQL database that must be configured with replication for high availability.
D.The automation controller can use an embedded SQLite database for production deployments.
E.The automation mesh component is used to provide resilient, fault-tolerant execution across multiple nodes.
AnswersC, E

Correct: A highly available automation controller requires a highly available PostgreSQL database.

Why this answer

Option C is correct because the automation controller in Ansible Automation Platform requires a PostgreSQL database, and for high availability (HA), that database must be configured with replication (e.g., streaming replication or Patroni) to ensure failover and data durability. Without database replication, a single database instance becomes a single point of failure, defeating the purpose of an HA deployment.

Exam trap

The trap here is that candidates often confuse the storage backend for automation hub (thinking it requires an external database for content storage) or assume execution nodes need direct database access, when in reality the architecture separates database access to the controller and uses API-based communication for execution nodes.

2
MCQhard

A job template runs successfully on some hosts but fails on others with 'Permission denied' for the same task. The admin has verified that the credential is correct. What is the most likely cause?

A.The package repository is not accessible from those hosts.
B.The privilege escalation method (become method) differs among hosts.
C.The credential's username is incorrect for some hosts.
D.The SSH key is not accepted on some hosts.
AnswerB

Hosts may have different sudo configurations; the become method in the job template might not work on all hosts.

Why this answer

B is correct because the 'Permission denied' error on a task that runs successfully on some hosts but not others, despite a verified credential, typically indicates a privilege escalation issue. The become method (e.g., sudo, su, pbrun) may be configured differently or unsupported on the failing hosts, causing Ansible to fail when attempting to escalate privileges for the task. Since the credential is correct, the failure occurs during the become process, not authentication.

Exam trap

The trap here is that candidates often assume 'Permission denied' always means an SSH key or credential issue, overlooking that privilege escalation (become) is a separate step that can fail even when the initial SSH connection succeeds.

How to eliminate wrong answers

Option A is wrong because a package repository being inaccessible would cause a different error (e.g., 'Could not resolve host' or 'Failed to download metadata'), not 'Permission denied' for a task. Option C is wrong because the admin has verified the credential is correct, so the username is not incorrect; a wrong username would cause an authentication failure, not a permission error after authentication. Option D is wrong because an SSH key not being accepted would cause an SSH connection failure (e.g., 'Permission denied (publickey)') before any task runs, not a 'Permission denied' error on a specific task after connection is established.

3
Multi-Selectmedium

An organization is designing a high-availability Automation Platform deployment. Which TWO practices are essential for achieving high availability?

Select 2 answers
A.Use a single instance of PostgreSQL on the controller node.
B.Installation on a single powerful node.
C.Deploy multiple automation controllers behind a load balancer.
D.Store all secrets in the Automation Platform vault.
E.Use an external PostgreSQL database with replication.
AnswersC, E

Provides controller failover.

Why this answer

Option C is correct because deploying multiple automation controllers behind a load balancer distributes workload and provides failover: if one controller fails, the load balancer redirects traffic to healthy nodes, ensuring continuous job execution and API availability. This is a core high-availability pattern for Ansible Automation Platform, as the controllers are stateless and can share the same database and project storage.

Exam trap

The trap here is that candidates confuse 'high availability' with 'performance scaling' or 'security hardening', leading them to select a single powerful node (Option B) or vault storage (Option D) instead of recognizing that redundancy of both controllers and the database is required.

4
MCQeasy

A systems administrator is installing Ansible Automation Platform on a Red Hat Enterprise Linux 9 server. They download the installer tarball and run `./setup.sh`. The installation fails with an error indicating that the database password is incorrect. What is the most likely cause?

A.The `admin_password` variable in the inventory file does not match the PostgreSQL password.
B.The `bootstrap.yml` file has an incorrect value for `pg_password`.
C.The PostgreSQL server is not listening on the expected port.
D.The license file has not been placed in the installer directory.
AnswerA

The inventory file specifies the database password for the setup process.

Why this answer

Option A is correct because the `admin_password` variable in the AAP installer inventory file (typically `inventory` or `hosts`) sets the password for the AAP admin user, not the PostgreSQL database password. The database password is set by the `pg_password` variable. If `admin_password` is incorrectly used where `pg_password` is expected, or if the two are mismatched, the installer will fail with a 'database password is incorrect' error during the database connection check.

Exam trap

The trap here is that candidates confuse the AAP admin password (`admin_password`) with the PostgreSQL database password (`pg_password`), assuming a single password controls both, when in fact they are separate variables in the inventory file.

How to eliminate wrong answers

Option B is wrong because `bootstrap.yml` is not a standard file in the AAP installer; the database password is configured in the inventory file, not in a `bootstrap.yml`. Option C is wrong because a PostgreSQL server not listening on the expected port would produce a connection timeout or 'could not connect to server' error, not a 'password is incorrect' error. Option D is wrong because the license file is only required for initial login to the AAP web UI after installation; its absence does not cause a database password error during `setup.sh`.

5
MCQeasy

An admin needs to restrict which users can launch specific job templates. Which AAP feature should be used?

A.Execution environments with custom modules.
B.Machine credentials with different users.
C.Inventory groups with host restrictions.
D.Role-based access control (RBAC) on job templates.
AnswerD

RBAC can assign permissions to users/teams for specific job templates.

Why this answer

Role-based access control (RBAC) on job templates is the correct feature because it allows an administrator to assign specific permissions (e.g., execute, read, or admin) to users or teams for individual job templates in Ansible Automation Platform (AAP). This directly restricts which users can launch specific job templates without affecting other resources.

Exam trap

The trap here is that candidates confuse operational features (like execution environments or credentials) with access control mechanisms, assuming that restricting execution environments or credentials indirectly controls user access, when AAP explicitly uses RBAC for granular user permissions on job templates.

How to eliminate wrong answers

Option A is wrong because execution environments are containerized runtime environments for Ansible playbooks, not a mechanism for user-level access control; custom modules extend functionality but do not restrict job template launches. Option B is wrong because machine credentials authenticate to target hosts (e.g., SSH keys or passwords) and do not control which users can launch job templates in AAP. Option C is wrong because inventory groups organize hosts for targeting playbooks, but they do not enforce user permissions on job templates; host restrictions limit which hosts are affected, not who can launch the job.

6
MCQmedium

A company is deploying Ansible Automation Platform (AAP) in a three-node cluster: one automation controller node, one private automation hub node, and one database node (PostgreSQL). The deployment uses an execution environment that pulls from the private automation hub. After a successful installation, all nodes are reachable and services are running. However, when launching a job template that uses the execution environment, the job fails with the error: 'Unable to pull execution environment image from automation-hub.example.com:5000/ee/my-ee:latest - request to registry failed with status 403 Forbidden'. The administrator confirms that the execution environment image exists in the private automation hub and that the automation controller node can reach the registry via curl. What is the most likely cause and solution?

A.The private automation hub is configured to allow unauthenticated access; change the hub configuration to disable authentication.
B.SELinux on the controller node is blocking container pulls; temporarily set SELinux to permissive.
C.Create a container registry credential in automation controller that uses the pull token from private automation hub, and associate it with the execution environment.
D.The execution environment definition in the controller is missing the 'pull' field; add 'pull: always' to the job template.
AnswerC

A valid credential is required to authenticate and pull the image.

Why this answer

Option D is correct. The 403 Forbidden error indicates an authentication issue. The automation controller needs a container registry credential to authenticate with the private automation hub.

Although the image exists and network connectivity works, the controller must have the correct credentials configured. Option A is wrong because SELinux is not blocking pull requests; it would cause different errors. Option B is wrong because the execution environment is configured, but the credential is missing.

Option C is wrong because unauthenticated access is not typically allowed in a production setup.

7
MCQeasy

A junior administrator is deploying Ansible Automation Platform (AAP) 2.3 on a fresh RHEL 9 server. They have downloaded the installer and edited the inventory file. The installation fails early in the process with: `TASK [private_automation_hub : Check that server_url has been configured]` and the error message: `FAILED - Could not connect to the Automation Hub server`. The inventory file has the following relevant lines: `automationhub_server_url=https://hub.example.com:443` and `automationhub_validate_certs=false`. The server `hub.example.com` is reachable from the installation node and responds with a 404 on the root path. The admin verified that the SSL certificate is self-signed. What should the admin do to resolve the issue?

A.Ensure that the hostname resolves to the correct IP address.
B.Add an `automationhub_token` value from the hub server.
C.Set `automationhub_validate_certs=true` and provide a CA certificate bundle.
D.Set `automationhub_server_url=https://hub.example.com/api/galaxy` to match the expected API path.
AnswerD

The hub server expects the API endpoint at `/api/galaxy/`.

Why this answer

Option D is correct because the Automation Hub server URL must point to the API endpoint, not the root path. The installer's `private_automation_hub` role checks for a valid response from `automationhub_server_url/api/galaxy/content/`, and a 404 on the root indicates the server is running but the URL is misconfigured. Setting the URL to `https://hub.example.com/api/galaxy` aligns with the expected API path, allowing the connectivity check to succeed.

Exam trap

The trap here is that candidates assume a reachable server with a self-signed certificate implies an SSL validation issue, but the actual problem is a URL path mismatch that the installer's connectivity check explicitly tests for.

How to eliminate wrong answers

Option A is wrong because the admin already verified that `hub.example.com` is reachable and responds, so DNS resolution is not the issue. Option B is wrong because the `automationhub_token` is used for authentication to sync content, not for the initial connectivity check that validates the server URL. Option C is wrong because the error is a 404 response, not an SSL validation failure; setting `validate_certs=true` would not resolve a path mismatch and could introduce a certificate error if no CA bundle is provided.

8
Multi-Selecthard

Which THREE of the following are core components of Automation Platform that are installed by default in a standard setup?

Select 3 answers
A.Red Hat Enterprise Linux
B.Automation controller
C.Automation mesh (node type)
D.Private Automation Hub
E.Ansible Core
AnswersB, C, D

The central component for running automation jobs.

Why this answer

Option B is correct because Automation controller (formerly Ansible Tower) is the web-based UI and REST API platform that provides role-based access control, job scheduling, and inventory management for Ansible automation. It is installed by default as part of a standard Red Hat Ansible Automation Platform setup to serve as the central control plane.

Exam trap

The trap here is that candidates often confuse Ansible Core (the CLI engine) with a default platform component, but it is actually a runtime dependency that is not installed as a separate service in a standard Automation Platform deployment.

9
Multi-Selectmedium

Which TWO are valid methods to back up an Ansible Automation Controller installation? (Choose two.)

Select 2 answers
A.Perform a `pg_dump` of the PostgreSQL database and copy `/var/lib/awx` files.
B.Use the controller UI to export configuration via `dumpconfig`.
C.Execute `awx-manage backup` on the controller node.
D.Run `./setup.sh -b` from the installer directory.
E.Use `invoke-rc.d automation-controller backup`
AnswersA, D

Manual backup of database and project data.

Why this answer

Option A is correct because backing up an Ansible Automation Controller installation requires preserving both the PostgreSQL database and the file system. The `pg_dump` command creates a logical backup of the database, while copying `/var/lib/awx` captures critical configuration files, job artifacts, and credentials stored on disk. This combination ensures a complete restore capability.

Exam trap

The trap here is that candidates may confuse `awx-manage` commands with valid backup utilities, or assume that a UI export function exists, when in fact the only supported backup methods are database dumps plus file system copies or the installer's built-in backup flag.

10
Multi-Selecthard

Which TWO should be configured to enable centralized logging from multiple Automation Controller nodes to an external Elasticsearch cluster? (Choose two.)

Select 2 answers
A.Configure `logrotate` to ensure logs are not truncated before being sent.
B.Set up `rsyslog` on each node to forward application logs to Elasticsearch.
C.Install and configure `filebeat` on each controller node as a sidecar service.
D.Configure a logging aggregator in the controller's system settings to point to the Elasticsearch endpoint.
E.Enable the `CALLBACK_RECEIVER` log level to ensure callback logs are collected.
AnswersD, E

The aggregator setting sends logs to external systems.

Why this answer

Option D is correct because Automation Controller (formerly Ansible Tower) provides a built-in logging aggregator configuration in its system settings. By specifying the Elasticsearch endpoint there, the controller itself handles forwarding all relevant job and system logs from every node to the external Elasticsearch cluster, without requiring per-node agents.

Exam trap

The trap here is that candidates assume a separate log shipper like filebeat or rsyslog is required, but Automation Controller has a native logging aggregator that directly sends logs to Elasticsearch, making those external agents redundant.

11
MCQhard

An enterprise is running Ansible Automation Platform with automation mesh across three data centers. Each data center has a control node and multiple execution nodes. The mesh topology is set up with `node_type: control` for control nodes and `node_type: execution` for execution nodes. The nodes in DC2 can reach nodes in DC1 and DC3, but DC1 and DC3 cannot directly reach each other. The admin notices that jobs that require execution on DC3 are being scheduled on DC1 or DC2, causing slow performance. The admin checks the mesh node list and sees all nodes are healthy. What should the admin do to ensure jobs are executed geographically closest to the target nodes?

A.Establish a direct VPN link between DC1 and DC3 to reduce latency.
B.Change the `node_type` of DC3 execution nodes to `control` to make them preferred.
C.Create host labels to tag nodes by data center and assign job templates accordingly.
D.Configure `node_policy` to set `topology=dc3` on execution nodes in DC3 so the controller can route jobs based on proximity.
AnswerD

Node policy helps controller select nodes based on network topology.

Why this answer

Option D is correct because `node_policy` with `topology` allows administrators to define geographic or logical proximity hints for execution nodes. By setting `topology=dc3` on DC3 nodes, the automation controller can intelligently route jobs to the nearest available execution node, reducing latency without requiring direct network connectivity between DC1 and DC3.

Exam trap

The trap here is that candidates confuse network-level solutions (VPN) or static labeling (host labels) with the dynamic, controller-driven routing provided by `node_policy`, which is the intended mechanism for geographic job placement in automation mesh.

How to eliminate wrong answers

Option A is wrong because establishing a direct VPN link addresses network connectivity but does not influence the controller's job routing logic; jobs would still be scheduled on any healthy node regardless of proximity. Option B is wrong because changing `node_type` to `control` would make DC3 nodes control nodes, which are not designed for job execution and would break the mesh topology, not improve job placement. Option C is wrong because host labels and job template assignments are static and require manual intervention; they do not dynamically route jobs based on geographic proximity or mesh topology.

12
MCQmedium

An organization uses Ansible Automation Controller. They have an inventory source that syncs from a Git repository containing `inventory/hosts.yml`. The job template uses this inventory. Recently, the inventory stopped updating. The admin checks the job logs and sees: `ERROR! Could not update inventory source: invalid inventory source definition`. What is the most likely issue?

A.The Git repository is unreachable due to network issues.
B.The project that contains the playbook has been deleted.
C.The machine credential stored in the controller has expired.
D.The inventory file `hosts.yml` has a syntax error, such as a missing colon.
AnswerD

Invalid inventory definition due to YAML error.

Why this answer

The error message 'invalid inventory source definition' indicates that the inventory file itself is malformed, not that there is a connectivity or credential issue. In Ansible Automation Controller, when an inventory source syncs from a Git repository, the controller parses the inventory file (e.g., `hosts.yml`) according to YAML syntax rules. A missing colon would break the YAML structure, causing the controller to reject the file as invalid, which matches the error.

Exam trap

The trap here is that candidates often confuse 'invalid inventory source definition' with connectivity or credential issues, but the error specifically points to a malformed inventory file, not a network or authentication problem.

How to eliminate wrong answers

Option A is wrong because a network issue would produce an error like 'Could not resolve host' or 'Connection refused', not 'invalid inventory source definition'. Option B is wrong because deleting the project would cause a 'Project not found' error when the job template tries to reference it, not an inventory source parsing error. Option C is wrong because an expired machine credential would result in an authentication failure (e.g., 'Permission denied' or 'Authentication failed') during the sync process, not a definition error.

13
MCQmedium

An admin attempts to run this playbook as a job template in AAP. The job fails with 'ERROR! 'now' is not a valid attribute for a task'. What is the issue?

A.The template task is missing quotes around the file paths.
B.The playbook has an incorrect indentation in the tasks block.
C.The 'become' directive is placed incorrectly at the play level.
D.The 'now' attribute does not exist; it may be a typo for 'notify' or should be removed.
AnswerD

'now' is not a valid Ansible task attribute.

Why this answer

Option D is correct because the error message 'ERROR! 'now' is not a valid attribute for a task' indicates that Ansible does not recognize 'now' as a valid task attribute. The 'now' keyword is not a standard Ansible directive; it is likely a typo for 'notify' (used with handlers) or should be removed entirely. Ansible validates task attributes against a strict schema, and any unknown attribute causes a parsing failure.

Exam trap

The trap here is that candidates may misread 'now' as a valid Jinja2 filter or confuse it with a module parameter, but Ansible strictly validates task attributes at parse time, not runtime.

How to eliminate wrong answers

Option A is wrong because missing quotes around file paths would cause a syntax error or a 'file not found' error, not an 'invalid attribute' error. Option B is wrong because incorrect indentation in the tasks block would produce a YAML parsing error (e.g., 'mapping values are not allowed here'), not an attribute validation error. Option C is wrong because placing 'become' at the play level is valid and would not generate an error about 'now'; it would either work or cause a privilege escalation error, not an attribute error.

14
MCQeasy

An admin wants to use custom Python modules in a job template without affecting the global controller environment. What should be used?

A.Install the modules globally on the controller.
B.Execution environment with custom collections.
C.Create a custom virtual environment and assign it to the job template.
D.Use a custom credential type that includes Python modules.
AnswerC

Custom virtualenvs provide isolated Python environments for specific jobs.

Why this answer

Option C is correct because custom Python modules must be isolated from the global controller environment to avoid conflicts. Ansible Tower/AWX allows you to create a custom virtual environment and assign it to a job template, ensuring that only the modules installed in that environment are used during job execution, leaving the global controller unaffected.

Exam trap

The trap here is that candidates confuse execution environments (which bundle Ansible collections and runtime) with Python virtual environments (which isolate Python packages), leading them to choose Option B instead of C.

How to eliminate wrong answers

Option A is wrong because installing modules globally on the controller would affect all job templates and potentially break existing automation due to dependency conflicts. Option B is wrong because execution environments with custom collections are used for Ansible content (roles, playbooks, collections), not for Python modules that are imported directly in custom scripts or modules. Option D is wrong because a custom credential type manages authentication credentials (e.g., SSH keys, API tokens) and cannot include or install Python modules.

15
MCQhard

A job template consistently fails with 'Authentication failed' for a managed host. The admin has verified that the username/password in the credential is correct and that the host is reachable. What is the most likely remaining cause?

A.The credential is not linked to the job template.
B.The SSH private key has not been added to the credential.
C.The username in the credential is misspelled.
D.The host is not reachable on the network.
AnswerA

A credential must be explicitly assigned to the job template; otherwise, authentication fails.

Why this answer

The most likely remaining cause is that the credential is not linked to the job template. Even if the credential contains correct authentication data, the job template will not use it unless the credential is explicitly associated. Without this link, Ansible Tower/AWX cannot authenticate to the managed host, resulting in an 'Authentication failed' error.

Exam trap

The trap here is that candidates assume a valid credential in the system is automatically used by all job templates, but in Ansible Tower/AWX, credentials must be explicitly assigned to each template to be utilized.

How to eliminate wrong answers

Option B is wrong because the question states the credential uses a username/password, not an SSH private key; if a private key were required, the credential type would be different. Option C is wrong because the admin has already verified that the username and password are correct, so a misspelling is ruled out. Option D is wrong because the admin has confirmed the host is reachable on the network, eliminating connectivity as the issue.

16
MCQmedium

A team has been using Ansible Automation Controller for six months. They have a job template that runs a playbook against a static inventory. Recently, the job template started hanging indefinitely after launching. The admin checks the job output and sees: `PLAY [all] ************************` with no further output. The playbook uses `delegate_to: localhost` for some tasks. The admin executed the same playbook manually with `ansible-playbook` on the control node and it completes successfully. The controller logs show no errors. What is the most likely cause of the hang in the controller?

A.The machine credential for the job template does not include the SSH key for the control node.
B.The execution environment used by the job template has no route to the controller's IP address on port 22.
C.The playbook has a syntax error that only manifests when run as a job template.
D.The inventory for the job template does not include the control node host.
AnswerB

Delegate_to localhost uses SSH to 127.0.0.1, but inside EE, 'localhost' may not be reachable.

Why this answer

Option B is correct because the execution environment may not have network access to reach the control node, causing connection timeout on delegate_to. Option A is wrong because the play is starting, indicating connection success. Option C is wrong because the manual run succeeded, so playbook is fine.

Option D is wrong because SSH is not used for delegate_to localhost.

17
Drag & Dropmedium

Drag and drop the steps to configure a basic NFS server to export a directory in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

NFS server: install, create dir, configure exports, start service, verify.

18
MCQhard

After upgrading AAP, an admin notices that all job templates using a custom virtual environment fail with 'No module named 'foo''. The virtual environment was previously working. What should the admin do first?

A.Switch the job template to use an execution environment instead.
B.Reassign the job template to the default virtual environment.
C.Recreate the custom virtual environment and reinstall the 'foo' package.
D.Verify that the credential associated with the job template is valid.
AnswerC

Upgrades can break virtual environments; rebuilding them is a standard fix.

Why this answer

After an AAP upgrade, custom virtual environments are not automatically migrated or preserved; they must be recreated and their packages reinstalled. The 'No module named 'foo'' error indicates that the Python environment no longer contains the required package, so recreating the environment and reinstalling 'foo' is the correct first step to restore functionality.

Exam trap

The trap here is that candidates assume the custom virtual environment persists unchanged after an upgrade, but Red Hat explicitly tests that custom environments must be recreated and packages reinstalled because the upgrade process does not preserve them.

How to eliminate wrong answers

Option A is wrong because switching to an execution environment is a different approach that does not address the root cause—the missing package in the custom virtual environment—and may introduce additional configuration overhead. Option B is wrong because reassigning the job template to the default virtual environment would bypass the custom environment but would not resolve the missing package issue for environments that require 'foo'. Option D is wrong because credential validity is unrelated to Python module availability; the error is a Python import error, not an authentication or authorization failure.

19
MCQhard

A DevOps engineer is troubleshooting an Ansible Automation Platform deployment where ansible-navigator fails to run a playbook, showing the error 'Error: Unable to pull execution environment image'. The ansible-navigator configuration file is shown in the exhibit. Which change should the engineer make to resolve the issue?

A.Set 'mode' to 'interactive' instead of 'stdout'
B.Change the execution-environment image to 'registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel8:latest'
C.Change 'pull policy' from 'missing' to 'always'
D.Set 'playbook-artifact enable' to 'true'
AnswerC

Setting policy to 'always' forces a pull attempt each time, which can resolve pull failures due to missing or outdated images.

Why this answer

Option C is correct because the error 'Unable to pull execution environment image' indicates that the image specified in the ansible-navigator configuration cannot be retrieved from the registry. Setting the 'pull policy' to 'always' forces ansible-navigator to attempt a fresh pull of the execution environment image every time, which can resolve transient network issues, authentication problems, or stale local image caches that cause the pull to fail when the policy is 'missing'.

Exam trap

The trap here is that candidates may assume the error is due to an incorrect image name or missing authentication, but the question specifically tests understanding of the 'pull policy' behavior and how it interacts with local image caching and registry connectivity.

How to eliminate wrong answers

Option A is wrong because setting 'mode' to 'interactive' instead of 'stdout' changes how ansible-navigator displays output but does not affect the ability to pull an execution environment image; the error is related to image retrieval, not output mode. Option B is wrong because changing the execution-environment image to a different valid image (registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel8:latest) does not address the root cause of the pull failure; if the current image is correct but unreachable, a different image will also fail unless the underlying connectivity or authentication issue is resolved. Option D is wrong because setting 'playbook-artifact enable' to 'true' controls whether playbook artifacts (e.g., logs) are saved, which has no impact on the ability to pull an execution environment image.

20
Matchingmedium

Match each Ansible module to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manage packages via YUM

Copy files to remote hosts

Manage system services

Deploy Jinja2 templates

Manage user accounts

Why these pairings

These modules are commonly used in Ansible for system administration.

21
MCQeasy

A user wants to authenticate against Ansible Automation Controller using LDAP. They configure the LDAP settings in the controller UI. After saving, they test the connection and it succeeds. However, when an LDAP user tries to log in, they get an authentication failure. What is the most likely issue?

A.The user is not a member of the required LDAP group that is mapped to a team.
B.The user has not been mapped to an organization within the LDAP configuration.
C.The controller is case-sensitive and the user entered username in wrong case.
D.The LDAP server is configured to use TLS, but the controller uses SAML.
AnswerB

Without organization mapping, the user cannot access the controller.

Why this answer

In Ansible Automation Controller, LDAP users must be explicitly mapped to an organization within the LDAP configuration. Without this mapping, the user is authenticated by the LDAP server but the controller has no authorization context (e.g., organization membership) to allow login. Option B correctly identifies this missing organization mapping as the most likely cause.

Exam trap

The trap here is that candidates assume a successful LDAP connection test implies full authentication and authorization are working, but the test only validates the LDAP bind, not the organization mapping required for user login.

How to eliminate wrong answers

Option A is wrong because group membership mapping to teams is optional and not required for basic LDAP authentication; a user can log in without being in any team. Option C is wrong because while the controller is case-sensitive for usernames, a successful LDAP connection test indicates the LDAP server is reachable and configured correctly, and the authentication failure is more likely due to authorization mapping, not case sensitivity. Option D is wrong because TLS and SAML are unrelated protocols; TLS secures the LDAP connection, while SAML is a separate SSO protocol that would be configured independently, not causing an LDAP authentication failure.

22
MCQhard

An administrator is designing a workflow that includes an approval node. The workflow should pause at the approval node until a user with the appropriate role approves or denies. The workflow is triggered by a webhook. After setting up, the webhook successfully starts the workflow, but the approval node is never created. What is the most likely cause?

A.The approval node requires a notification template to be configured.
B.The workflow job template is set to run as a system user, but the approval node requires an actual user to approve.
C.The approval node's timeout is set to 0, causing it to be skipped.
D.The inventory for the workflow does not have proper machine credentials.
AnswerB

Webhook-triggered jobs run as the user who created the webhook key, but if system-level, no user context exists for approval.

Why this answer

Option B is correct because in Ansible Automation Platform, approval nodes in workflows require a real user to approve or deny the request. If the workflow job template is configured to run as a system user (e.g., the automation controller system user), there is no actual user identity associated with the approval action, so the approval node is never created. The webhook can still trigger the workflow, but the approval node fails to materialize because the system user lacks the necessary user context to generate the approval request.

Exam trap

The trap here is that candidates often assume approval nodes are purely configuration-based and overlook the requirement for a real user identity, confusing system-level execution with user-level approval actions.

How to eliminate wrong answers

Option A is wrong because notification templates are optional for approval nodes; they are used to send email or other notifications when an approval is pending, but they are not required for the approval node to be created. Option C is wrong because setting the timeout to 0 means the approval node will wait indefinitely (no timeout), not that it is skipped; a timeout of 0 does not cause the node to be bypassed. Option D is wrong because inventory machine credentials are irrelevant to the creation of an approval node; they are used for connecting to managed hosts, not for workflow approval logic.

23
MCQmedium

You are deploying Red Hat Ansible Automation Platform in a restricted network environment where the automation controller, automation hub, and execution nodes cannot access the internet. You have successfully installed the automation controller and automation hub on separate RHEL 8 servers using a local repository. The automation hub is configured to sync collections from a local mirror. After deployment, you attempt to create a new job template that uses a collection from automation hub, but the job template creation fails with the error: 'Failed to find collection' for a collection that exists in automation hub. The execution nodes are subscribed to the same local repository. The automation controller is configured with the automation hub as the default collections server. What is the most likely cause?

A.The local repository does not contain the required Ansible Automation Platform packages for the execution nodes.
B.The automation controller cannot communicate with the execution nodes due to network restrictions.
C.The execution nodes are not registered with the automation controller.
D.The automation controller is configured with the default cloud.redhat.com as the collections server instead of the local automation hub URL.
AnswerD

Correct: The controller must point to the local automation hub; otherwise, it cannot find collections.

Why this answer

Option D is correct because the automation controller must be explicitly configured to use the local automation hub as the default collections server. If it defaults to cloud.redhat.com, the controller will attempt to download collections from the internet, which fails in a restricted network environment. The error 'Failed to find collection' indicates the controller cannot reach the configured collections server, not that the collection is missing from the local hub.

Exam trap

The trap here is that candidates may assume the error is due to network connectivity between components (Option B) or missing packages (Option A), when the real issue is a misconfiguration of the collections server URL in the controller settings.

How to eliminate wrong answers

Option A is wrong because the execution nodes are subscribed to the same local repository that was used to install the automation controller and hub, so they have the required AAP packages; the issue is about collection access, not package availability. Option B is wrong because the error occurs at job template creation, not during job execution, and the controller communicates with execution nodes only when a job runs, not during template creation. Option C is wrong because execution nodes must be registered with the controller to run jobs, but the error occurs before any job execution attempt, and registration status does not affect the controller's ability to find collections on the hub.

24
MCQhard

A systems administrator is deploying Ansible Automation Platform 2.4 using the provided setup script. The installation fails with the error shown in the exhibit. Based on the exhibit, what is the most likely cause of the failure?

A.The installer requires a local PostgreSQL database; using a remote database is not supported.
B.The database password specified in setup.sh does not match the actual PostgreSQL password.
C.SELinux is blocking the ansible-navigator process from reaching the database.
D.The PostgreSQL service is not running on the database server.
AnswerD

The error 'Connection refused' indicates the PostgreSQL server is not listening on the specified host/port.

Why this answer

The error exhibit indicates that the installer cannot connect to the PostgreSQL database. The most common cause of this failure is that the PostgreSQL service is not running on the database server, preventing the Ansible Automation Platform setup script from establishing a connection. Without the database service active, the installer cannot proceed with the deployment.

Exam trap

The trap here is that candidates may assume a database password mismatch (Option B) is the issue, but the error message clearly indicates a connection failure rather than an authentication failure, which is a common confusion in database connectivity troubleshooting.

How to eliminate wrong answers

Option A is wrong because Ansible Automation Platform 2.4 supports both local and remote PostgreSQL databases; the setup script allows specifying a remote database host. Option B is wrong because a password mismatch would produce an authentication error (e.g., 'password authentication failed'), not a connection timeout or 'could not connect to server' error. Option C is wrong because SELinux blocking would typically manifest as a permission denied error on socket files or port access, not a generic connection failure to the database server; also, the error message does not reference SELinux denials.

25
Drag & Dropmedium

Drag and drop the steps to configure an Ansible control node for managing remote hosts into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Ansible requires installation, inventory definition, SSH key-based authentication, and connectivity verification before managing hosts.

26
Multi-Selectmedium

Which TWO statements are true about deploying Red Hat Ansible Automation Platform using the automation mesh?

Select 2 answers
A.Execution nodes can be located in different geographic regions.
B.Existing Ansible Tower nodes can be added to the mesh without modification.
C.Automation mesh requires two separate ports for control and data plane traffic.
D.The mesh topology is organized as a parent/child relationship between nodes.
E.All execution nodes must have direct network access to the automation controller.
AnswersA, D

Automation mesh supports distributed execution across multiple sites.

Why this answer

Option A is correct because the automation mesh is designed to support distributed topologies where execution nodes can be located in different geographic regions. The mesh uses peer-to-peer connections over standard TCP ports, allowing nodes to communicate across network boundaries without requiring a centralized controller in each region.

Exam trap

The trap here is that candidates often assume automation mesh requires separate control and data ports (like in some SDN solutions) or that all nodes must reach the controller directly, but Red Hat's implementation uses a single port and a peer-to-peer routing model.

27
MCQhard

A junior admin runs the command shown in the exhibit. What is the most likely cause of the error?

A.The 'ansible.builtin' collection is not installed in the execution environment.
B.The shell module requires a command argument that is missing.
C.The playbook file path is incorrect; ansible-navigator cannot find the file.
D.The playbook uses incorrect YAML syntax; the task should use the 'module' keyword.
AnswerD

The correct syntax is 'module: ansible.builtin.shell' or simply 'ansible.builtin.shell:' as a mapping key.

Why this answer

Option B is correct. The YAML syntax is incorrect because the 'ansible.builtin.shell' module should be listed under the 'module' key, not as a separate line. The correct usage is 'ansible.builtin.shell:' as a value under 'module:' or directly as the action.

In this case, the task is missing the 'module' key. Option A is wrong because the collection is installed by default. Option C is wrong because the syntax error is in the YAML structure, not in the module name.

Option D is wrong because the path is absolute and correct.

28
MCQhard

A large enterprise has deployed Ansible Automation Platform with multiple organizations. A team lead needs to allow a junior administrator to create and manage job templates within their own organization, but not modify organizations, users, or system settings. Which RBAC roles should be assigned?

A.Assign the `admin` role on the organization.
B.Assign the `job_template_admin` role on the specific organization.
C.Assign the `execute` role on all job templates.
D.Assign the `auditor` role on the organization.
AnswerB

This role allows managing job templates but not organization-level settings.

Why this answer

The `job_template_admin` role on a specific organization grants the ability to create, edit, and manage job templates within that organization without allowing modifications to organizations, users, or system settings. This is the correct RBAC role for the junior administrator's requirements.

Exam trap

The trap here is that candidates often confuse the `admin` role on an organization with the `job_template_admin` role, assuming that full admin rights are needed to manage job templates, when in fact a more restricted role exists specifically for that purpose.

How to eliminate wrong answers

Option A is wrong because the `admin` role on an organization provides full administrative privileges, including the ability to modify organizations, users, and system settings, which exceeds the required permissions. Option C is wrong because the `execute` role on all job templates only allows running existing job templates, not creating or managing them. Option D is wrong because the `auditor` role on an organization provides read-only access to view objects and audit logs, with no permissions to create or manage job templates.

29
MCQmedium

An admin is creating a workflow that must run a survey at the beginning to collect user input. Which node type should be used for the first step?

A.Workflow node
B.Approval node
C.Job Template node with survey enabled
D.Project Sync or Inventory Sync node
AnswerC

Surveys can be added to job templates to prompt for variables.

Why this answer

A Job Template node with survey enabled is the correct choice because surveys in Ansible Automation Platform allow you to prompt the user for variables at runtime before the job runs. This is the only node type that can collect user input as the first step in a workflow, as it presents a form to the user and passes the entered values as extra variables to the job.

Exam trap

The trap here is that candidates may confuse an Approval node with a survey node, thinking that an approval step can also collect input, but approvals only allow a yes/no or simple comment, not structured variable input.

How to eliminate wrong answers

Option A is wrong because a Workflow node is a container for other nodes and does not itself collect user input; it merely defines the flow. Option B is wrong because an Approval node is used to pause a workflow for manual approval or rejection, not to collect survey-style input from the user. Option D is wrong because Project Sync and Inventory Sync nodes are used to synchronize source control or inventory sources, and they do not support surveys or user input collection.

30
MCQeasy

An administrator wants to use automation mesh to distribute workloads across multiple execution nodes. After configuring mesh topology, some jobs fail with: `Error: No healthy mesh node found for execution`. What is the most likely cause?

A.The mesh nodes are not all connected to each other.
B.The execution node is not registered with a unique `node_id`.
C.The `hop` count is set too high in the mesh configuration.
D.The `node_type` is set to `control` for all nodes.
AnswerB

Duplicate node IDs cause routing issues, making nodes appear unhealthy.

Why this answer

Option B is correct because each execution node in an automation mesh must have a unique `node_id` to be properly identified and reachable by the mesh controller. When nodes share a `node_id` or are not registered with a unique identifier, the controller cannot distinguish between them, leading to the 'No healthy mesh node found for execution' error. This uniqueness is critical for the mesh's peer-to-peer routing and health-checking mechanism.

Exam trap

The trap here is that candidates often confuse connectivity issues (Option A) with node identity problems, but the error message directly points to a health-check failure caused by duplicate or missing `node_id` values, not network topology.

How to eliminate wrong answers

Option A is wrong because automation mesh nodes do not need to be fully connected to each other; they communicate via a parent-child topology using `peers` and `parent` directives, and the error is not caused by lack of full connectivity. Option C is wrong because the `hop` count (maximum number of intermediate nodes) does not directly cause this error; a high hop count might affect latency or routing but not the health detection of individual nodes. Option D is wrong because setting `node_type` to `control` for all nodes would mean no execution nodes exist, but the error specifically mentions 'execution' and the issue is about node identification, not node type assignment.

31
MCQhard

An admin imports this inventory into AAP and assigns a machine credential that uses SSH key authentication. The job fails with 'Authentication failed'. What is the most likely cause?

A.The private key file path in the inventory does not exist on the controller.
B.The credential's SSH key is not being used because the inventory variable ansible_ssh_private_key_file conflicts.
C.The machine credential does not contain an SSH private key.
D.The 'ansible_become' variable is missing from the inventory.
AnswerB

AAP uses the credential's key when a credential is assigned; the inventory variable is ignored and can cause confusion.

Why this answer

Option B is correct because AAP does not use inventory variables for authentication; it uses credentials. The variable 'ansible_ssh_private_key_file' is ignored by AAP, and the credential must be used. Option A is incorrect because the credential is present.

Option C is incorrect because the key path is not used. Option D is incorrect because the become method is not relevant to this failure.

32
Multi-Selecteasy

A job template has failed. Which TWO logs should be examined first to diagnose the issue?

Select 2 answers
A./var/log/tower/tower.log
B./var/log/tower/job_callback.log
C.Automation controller job stdout
D./var/log/messages
E./var/log/nginx/access.log
AnswersA, B

Main AAP log with errors and warnings.

Why this answer

Option A is correct because `/var/log/tower/tower.log` is the primary log file for the Ansible Tower/Automation Controller service itself, capturing all controller-level events, errors, and system messages. When a job template fails, this log is the first place to check for underlying service issues, authentication failures, or configuration problems that prevented the job from starting or completing. Option B is correct because `/var/log/tower/job_callback.log` specifically records callback data from job runs, including the final status and any errors returned by the Ansible playbook execution, making it essential for diagnosing job-specific failures.

Exam trap

The trap here is that candidates often confuse job stdout (the playbook output) with a log file, or they default to checking generic system logs like `/var/log/messages` instead of the application-specific logs that directly relate to the job template failure.

33
MCQmedium

An organization is deploying Automation Platform for the first time. The security team requires that all SSH private keys used for automation be stored securely with access controls. Which AAP feature should be used to meet this requirement?

A.Store the private key in plain text within the inventory file.
B.Use Ansible Vault to encrypt the private key file.
C.Set the SSH key as an environment variable on the controller.
D.Create a Machine credential type and upload the SSH private key.
AnswerD

AAP machine credentials store SSH keys encrypted and allow granular access control.

Why this answer

Option D is correct because the Machine credential type in Ansible Automation Platform (AAP) is specifically designed to securely store SSH private keys. When you upload the private key via the AAP web UI or API, it is encrypted at rest in the AAP database and access is controlled through role-based access control (RBAC). This meets the security team's requirement for secure storage and access controls without exposing the key in plain text.

Exam trap

The trap here is that candidates may confuse Ansible Vault (a file-level encryption tool) with AAP's credential management system, not realizing that Vault does not provide the centralized access control and audit trail required for enterprise security compliance.

How to eliminate wrong answers

Option A is wrong because storing a private key in plain text within an inventory file violates basic security principles and exposes the key to anyone with file system access, which is not secure storage with access controls. Option B is wrong because Ansible Vault encrypts files at rest but does not integrate with AAP's native credential system; the key would still need to be decrypted at runtime and managed outside of AAP's RBAC, failing the access control requirement. Option C is wrong because setting the SSH key as an environment variable on the controller exposes it to any process or user that can read environment variables, and it lacks the granular access controls and audit logging that AAP credentials provide.

34
Matchingmedium

Match each Ansible inventory parameter to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hostname or IP to connect to

SSH user for connection

SSH port number

Private key file path

Python interpreter path

Why these pairings

Common inventory variables for Ansible connection.

35
Multi-Selectmedium

Which THREE are valid user roles within an Automation Controller organization? (Choose three.)

Select 3 answers
A.Organization auditor
B.Organization admin
C.Organization team_member
D.Superuser
E.Organization member
AnswersA, B, E

Read-only access to all organization resources.

Why this answer

Option A is correct because the Organization auditor role in Automation Controller provides read-only access to all objects within the organization, including inventories, projects, job templates, and credentials, without the ability to make changes. This role is essential for compliance and oversight, allowing auditors to review configurations and job history without risk of modification.

Exam trap

The trap here is that candidates may confuse 'Organization team_member' with a valid role, not realizing that team membership is distinct from organization-level roles, or they may incorrectly select 'Superuser' thinking it is an organization role when it is actually a global system role.

36
MCQeasy

An admin is configuring a project in Automation Platform to pull playbooks from a Git repository. Which source control type should be selected?

A.Local
B.Manual
C.SCM
D.Red Hat Insights
AnswerC

SCM allows integration with Git repositories.

Why this answer

Option C (SCM) is correct because Ansible Automation Platform uses Source Control Management (SCM) to integrate with Git repositories. When configuring a project, selecting 'SCM' allows the platform to pull playbooks, roles, and inventories directly from a remote Git repository, enabling version control and automated sync.

Exam trap

The trap here is that candidates may confuse 'SCM' with a generic term and think 'Manual' or 'Local' are valid options, but only SCM enables Git integration for project synchronization.

How to eliminate wrong answers

Option A is wrong because 'Local' refers to a project that uses playbooks stored directly on the Automation Controller file system, not from a remote Git repository. Option B is wrong because 'Manual' is not a valid source control type in Automation Platform; projects require either Local or SCM. Option D is wrong because 'Red Hat Insights' is a separate analytics and remediation service, not a source control mechanism for pulling playbooks.

37
MCQmedium

A company is deploying Red Hat Ansible Automation Platform 2.3 in a hybrid cloud environment. The automation controller is installed on a RHEL 8 server in the on-premises data center. Execution nodes are distributed: four in the same data center, two in a remote branch office connected via VPN, and three in AWS EC2 instances. The VPN connection to the branch office is low-bandwidth and high-latency. The AWS nodes use a direct connect with stable bandwidth. During initial testing, playbooks running on the branch office execution nodes frequently timeout or hang, while on-premises and AWS nodes work fine. The automation mesh topology is configured with all nodes as direct children of the controller. The team wants to minimize latency and ensure reliable execution for the branch office nodes. Which course of action should the administrator take?

A.Deploy an additional automation mesh node in the branch office and make the branch office execution nodes children of that node.
B.Configure the controller to use the AWS execution nodes for all branch office jobs via a proxy.
C.Increase the `ansible_timeout` setting in the controller configuration to 120 seconds.
D.Reduce the forks value for branch office execution nodes to 1.
AnswerA

A local mesh node reduces WAN traffic by caching playbook artifacts and handling control plane communication locally.

Why this answer

Option A is correct because deploying an additional automation mesh node in the branch office creates a local parent for the branch office execution nodes, reducing the number of high-latency, low-bandwidth VPN hops between the controller and those nodes. In the automation mesh, parent-child relationships allow execution nodes to connect through a closer intermediary, minimizing timeouts and improving reliability by keeping control-plane traffic local.

Exam trap

The trap here is that candidates may confuse tuning parameters (timeout, forks) with architectural fixes, failing to recognize that the mesh topology itself must be adapted to overcome network constraints.

How to eliminate wrong answers

Option B is wrong because using AWS execution nodes as a proxy for branch office jobs would still route traffic over the VPN, adding unnecessary latency and complexity without addressing the root cause. Option C is wrong because increasing `ansible_timeout` only masks the symptom of network delays; it does not reduce the underlying latency or packet loss causing the timeouts. Option D is wrong because reducing forks to 1 limits parallelism but does not solve connectivity issues; it may even increase execution time without preventing hangs from network instability.

38
Multi-Selecteasy

Which TWO statements are true about deploying Red Hat Ansible Automation Platform on a Red Hat Enterprise Linux 8 system?

Select 2 answers
A.The installer automatically creates an admin user with a randomly generated password.
B.The automation controller and database must be installed on the same node for performance reasons.
C.The AAP installer uses an Ansible playbook named 'ansible-setup.yml' to perform the installation.
D.You can install automation controller and private automation hub on separate machines to distribute the load.
E.Before installation, you must attach a subscription using subscription-manager attach --pool=...
AnswersC, D

Correct: The setup playbook is the main installer.

Why this answer

Options A and D are correct. A: The setup playbook is used to deploy AAP components. D: Automation controller and private automation hub can be installed on separate nodes for scalability.

B is incorrect because subscription-manager attach is not required if using local repos. C is incorrect because postgreSQL must be separate from the controller node in a standard installation. E is incorrect because the installer creates the admin user based on the inventory file.

39
MCQmedium

An admin configures an automation mesh environment. What is the primary purpose of mesh nodes in AAP?

A.To enable high availability for the web UI.
B.To act as a backup for the automation controller.
C.To provide a redundant database server.
D.To scale automation execution capacity.
AnswerD

Mesh nodes distribute the workload of running playbooks.

Why this answer

Mesh nodes in Ansible Automation Platform (AAP) are designed to distribute automation execution workloads across multiple nodes, enabling horizontal scaling. They do not handle the web UI, controller logic, or database functions; instead, they execute playbooks and jobs, offloading work from the automation controller to increase overall capacity and performance.

Exam trap

The trap here is that candidates confuse mesh nodes with general high-availability or redundancy components, assuming they serve as backups for the controller or database, when in fact they are strictly for scaling execution capacity.

How to eliminate wrong answers

Option A is wrong because high availability for the web UI is provided by the automation controller nodes themselves, often through a load balancer, not by mesh nodes. Option B is wrong because mesh nodes are not backups for the automation controller; controller redundancy is achieved through a separate controller cluster with active/passive or active/active setups. Option C is wrong because database redundancy is handled by a separate database cluster (e.g., PostgreSQL streaming replication), not by mesh nodes, which have no database role.

40
MCQmedium

A team uses execution environments (EE) for job templates. The admin builds a custom EE using `ansible-builder` with a `execution-environment.yml` file that includes a `base_image: registry.redhat.io/ansible-automation-platform-21/ee-minimal-rhel8:latest` and a custom Python requirement. However, the controller reports that the EE is not found when launching a job. What is the most likely issue?

A.The built EE image was not pushed to the container registry specified in the controller's execution environment configuration.
B.The base image is pointing to an incorrect registry path.
C.The custom Python requirement needs to be added to `requirements.txt` in the project.
D.The execution environment does not include a `Containerfile` for the build process.
AnswerA

The EE must be available in a registry that controller can pull from.

Why this answer

Option A is correct because after building a custom execution environment with `ansible-builder`, the resulting container image must be pushed to a container registry that the Automation Controller is configured to access. The controller does not automatically pull images from the local build cache; it references the image by its registry path. If the image is not present in the specified registry, the controller will report that the EE is not found when launching a job.

Exam trap

The trap here is that candidates assume building the image locally is sufficient, but the controller requires the image to be accessible via a registry pull, not from the local build cache.

How to eliminate wrong answers

Option B is wrong because `registry.redhat.io/ansible-automation-platform-21/ee-minimal-rhel8:latest` is a valid Red Hat registry path for the minimal execution environment; the issue is not about an incorrect registry path but about the image not being available in the registry the controller queries. Option C is wrong because custom Python requirements are defined in the `execution-environment.yml` file under the `python` key, not in a project's `requirements.txt`; the controller does not read project files for EE dependencies. Option D is wrong because `ansible-builder` automatically generates a `Containerfile` (or `Dockerfile`) during the build process based on the `execution-environment.yml`; the absence of a pre-existing `Containerfile` is not the issue.

41
MCQeasy

An organization wants to deploy Ansible Automation Platform 2.x in a highly available configuration. Which component must be deployed in an active-active cluster to ensure controller failover?

A.PostgreSQL database
B.Automation controller
C.Private Automation Hub
D.Automation mesh
AnswerB

The controller runs the web UI, API, and scheduler; an active-active cluster with a load balancer provides HA.

Why this answer

The automation controller is the component that provides the web UI, REST API, and job execution management in Ansible Automation Platform 2.x. For high availability, multiple controller nodes must be deployed in an active-active cluster behind a load balancer, ensuring that if one controller fails, another can immediately take over without service interruption.

Exam trap

The trap here is that candidates often confuse the automation mesh (which provides execution node redundancy) with the automation controller's active-active clustering, leading them to select mesh as the answer for controller failover.

How to eliminate wrong answers

Option A is wrong because PostgreSQL database is typically deployed as a separate highly available database cluster (e.g., using Patroni or streaming replication) and is not itself part of the active-active controller cluster; it supports the controller but does not provide controller failover. Option C is wrong because Private Automation Hub is a content distribution component for collections and execution environments, and it does not handle controller job scheduling or API requests; it can be made highly available independently but does not ensure controller failover. Option D is wrong because Automation mesh is a communication layer for distributing execution workloads across nodes and is not a controller component; it provides resilience for execution nodes but does not handle controller failover.

42
MCQeasy

An admin checks the job details and sees this error from the API. What is the most likely cause?

A.The job template is using an execution environment that lacks the plugin.
B.The callback plugin is not installed on the controller node.
C.The callback plugin name is misspelled in the project.
D.The machine credential is invalid.
AnswerB

AAP requires that callback plugins be installed on the controller; otherwise, it reports an invalid plugin.

Why this answer

The error from the API indicates that the callback plugin is missing on the controller node. In Ansible Automation Platform, callback plugins must be installed on the controller node (or execution node) where `ansible-runner` processes job events. If the plugin is not present there, the API will report a failure when the job attempts to use it, even if the execution environment contains the plugin.

Exam trap

The trap here is that candidates assume the execution environment is the only place plugins need to exist, but the controller node must also have the callback plugin installed to process job events, leading to an API-level error when it is missing.

How to eliminate wrong answers

Option A is wrong because the execution environment is a container image that provides the runtime for playbook execution, but the callback plugin must be installed on the controller node (or execution node) that handles job event processing; the execution environment's plugin content does not automatically make the plugin available to the controller's API. Option C is wrong because a misspelled callback plugin name in the project would cause a different error (e.g., 'unable to locate plugin') at the playbook parsing stage, not an API-level error from the job details. Option D is wrong because an invalid machine credential would result in an authentication failure during SSH or WinRM connection, not an API error about a missing callback plugin.

Ready to test yourself?

Try a timed practice session using only Deploy Ansible Automation Platform questions.