Itential Automation Gateway

Itential Automation Gateway overview

Itential Automation Gateway (IAG) is a secure execution environment for your automation content. It organizes your Python scripts, Ansible playbooks, and OpenTofu plans into versioned, reusable services that teams can discover and run through Itential Platform—without needing to understand the underlying tools or dependencies.

How IAG works

IAG connects to the Itential Platform through Gateway Manager, which registers your IAG deployment and advertises its services to Platform. When a workflow calls a gateway service, Platform routes the task to the appropriate gateway cluster, which executes it locally and returns the result. For more information, see the Gateway Manager overview.

IAG stores only state information—it doesn’t hold copies of your automation content. Your scripts, playbooks, and plans stay in your Git repositories under your control. At execution time, IAG retrieves the content it needs directly from Git, builds an isolated runtime environment with the required dependencies, runs the automation, and discards the environment when it’s done.

This model means you manage your automations the same way you manage any other code: in version control, with your existing development workflows. IAG stays out of the way.

Key features

Git-native content management

IAG retrieves automation content from your Git repositories at runtime—no pre-installation on servers required. It supports GitHub, GitLab, Bitbucket, and any standard Git provider. Dependencies defined in requirements files (requirements.txt, pyproject.toml, requirements.yml) are read automatically and deployed at runtime alongside your code.

Managed runtime environments

For each execution, IAG builds a clean, isolated environment containing exactly the dependencies your automation requires. Environments are cached and rebuilt only when requirements change. Because every run starts from a known state, you get consistent results regardless of where IAG is deployed—and IAG administrators don’t need to manually install or maintain dependencies on gateway servers.

Service-based structure

IAG exposes your automations as services—discrete, named units with defined inputs and a connection to source code in a Git repository. Once you create a service, other teams can discover and run it through Platform without knowing anything about the underlying script or tooling.

Horizontal scalability

IAG supports five deployment models ranging from a single all-in-one server to multi-cluster configurations spanning geographic regions or network segments. You can add runner nodes to any cluster to increase execution capacity—adding a runner requires only placing the IAG binary on a Linux server and pointing it at the cluster.

For a full comparison of deployment models, see Choose a deployment architecture.

Security

IAG provides layered security controls:

  • Access control: Role-based access control (RBAC) and group-based access control (GBAC) are enforced through Gateway Manager’s service groups.
  • Secrets management: IAG includes a native encrypted secret store. Secret values are decrypted only at runtime and are never exposed in logs, API responses, or on disk.
  • Audit logging: Service execution and resource access are logged at configurable verbosity levels.
  • Secure connectivity: IAG initiates outbound connections to Platform using WebSocket and mutual TLS (mTLS), with no VPN required.

Administration via iagctl

All IAG administration is handled through iagctl, a command-line tool for creating and managing resources, checking cluster status, and performing operational tasks. Every command includes built-in help via --help, and all outputs can be returned as machine-readable JSON for use in CI/CD pipelines and automation scripts.

For more information, see the Command reference.

Supported tools

IAG supports the following automation tools:

  • Ansible
  • Python
  • OpenTofu

For more information about gateway cluster architecture, see Choose a deployment architecture.

IAG 5.x requires Itential Platform 6.0.4+ or IAP 2023.2.17+ (via Gateway Manager).

Service based structure

By transforming automations into a service model, IAG allows other teams to access and use these automations in a well-defined, structured manner. This lets you continue developing automations while providing team-oriented access. Teams can use the automations without needing to understand the underlying requirements to execute Python, Ansible, or OpenTofu instructions.

Scalable automation

You can run IAG as a single user to cleanly manage automations or deploy it in a client-server model where each server can easily replicate services and scale out. As a single binary, IAG doesn’t dictate infrastructure requirements or server size.

Orchestration

IAG uses Gateway Manager to establish secure connections between your IAG clusters and the Itential Platform. Gateway Manager discovers all of the gateway services associated with your gateway cluster and advertises these services to Itential Platform, enabling Platform to orchestrate these services as tasks in automation workflows. Your IAG deployment executes the services when Itential Platform calls them during a workflow.

For more information, see Gateway Manager.