diff --git a/ansible/roles/image-download/defaults/main.yml b/ansible/roles/image-download/defaults/main.yml
index 52bec6ddd..00b079f37 100644
--- a/ansible/roles/image-download/defaults/main.yml
+++ b/ansible/roles/image-download/defaults/main.yml
@@ -21,3 +21,23 @@ image_download_dest:
 # Host from which to fetch the image.
 # Only used when image_download_path is set.
 image_download_host: "{{ inventory_hostname }}"
+
+# Username for Digest, Basic or WSSE authentication. Default is unset, in which
+# case the parameter is omitted.
+image_download_url_username:
+
+# Password for Digest, Basic or WSSE authentication. Default is unset, in which
+# case the parameter is omitted.
+image_download_url_password:
+
+# Force sending the Basic authentication header upon initial request. Useful if
+# the remote endpoint does not respond with HTTP 401 to the initial
+# unauthenticated request. Must be a boolean. Default is unset, in which case
+# the parameter is omitted.
+image_download_force_basic_auth:
+
+# List of header names that will not be sent on subsequent redirected requests.
+# Set to ['Authorization'] if being redirected from an authenticated endpoint
+# to an unauthenticated endpoint. Default is unset, in which case the parameter
+# is omitted.
+image_download_unredirected_headers:
diff --git a/ansible/roles/image-download/tasks/main.yml b/ansible/roles/image-download/tasks/main.yml
index 3a4dc4ba0..c1d799fdd 100644
--- a/ansible/roles/image-download/tasks/main.yml
+++ b/ansible/roles/image-download/tasks/main.yml
@@ -15,6 +15,10 @@
           uri:
             url: "{{ image_download_checksum_url }}"
             return_content: true
+            url_username: "{{ image_download_url_username or omit }}"
+            url_password: "{{ image_download_url_password or omit }}"
+            force_basic_auth: "{{ image_download_force_basic_auth or omit }}"
+            unredirected_headers: "{{ image_download_unredirected_headers or omit }}"
           register: expected_checksum
           until: expected_checksum is successful
           retries: 3
@@ -35,6 +39,10 @@
         # Always download the image if we have no checksum to compare with.
         force: "{{ expected_checksum is skipped }}"
         backup: true
+        url_username: "{{ image_download_url_username or omit }}"
+        url_password: "{{ image_download_url_password or omit }}"
+        force_basic_auth: "{{ image_download_force_basic_auth or omit }}"
+        unredirected_headers: "{{ image_download_unredirected_headers or omit }}"
       register: result
       until: result is successful
       retries: 3
diff --git a/molecule-requirements.txt b/molecule-requirements.txt
index 794a7bf57..60ecf7351 100644
--- a/molecule-requirements.txt
+++ b/molecule-requirements.txt
@@ -3,7 +3,7 @@
 # process, which may cause wedges in the gate later.
 
 ansible-lint>=3.0.0,<6.0.0,!=4.3.0 # MIT
-ansible-compat # MIT
+ansible-compat<25.0.0 # MIT
 docker # Apache-2.0
 molecule # MIT
 molecule-plugins[docker] # MIT
diff --git a/releasenotes/notes/fix-overcloud-deprovision-prompt-host-lists-cfb701162c114c60.yaml b/releasenotes/notes/fix-overcloud-deprovision-prompt-host-lists-cfb701162c114c60.yaml
index b2571fa9b..8add3af56 100644
--- a/releasenotes/notes/fix-overcloud-deprovision-prompt-host-lists-cfb701162c114c60.yaml
+++ b/releasenotes/notes/fix-overcloud-deprovision-prompt-host-lists-cfb701162c114c60.yaml
@@ -2,5 +2,5 @@
 fixes:
   - |
     Fixes a bug where non-overcloud hosts would show up in the confirmation
-    prompt for `kayobe overcloud deprovision`
+    prompt for ``kayobe overcloud deprovision``
     `LP#2091703 <https://bugs.launchpad.net/kayobe/+bug/2091621>`__
diff --git a/releasenotes/notes/image-download-auth-e9fd02b71e26dd52.yaml b/releasenotes/notes/image-download-auth-e9fd02b71e26dd52.yaml
new file mode 100644
index 000000000..7bb5c7e4d
--- /dev/null
+++ b/releasenotes/notes/image-download-auth-e9fd02b71e26dd52.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Adds variables to configure authentication parameters in the
+    ``image-download`` role, which is used to download IPA images. The new
+    variables are ``image_download_url_username``,
+    ``image_download_url_password``, ``image_download_force_basic_auth`` and
+    ``image_download_unredirected_headers``. See documentation of the `get_url
+    <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html>`__
+    and `uri
+    <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html>`__
+    Ansible modules for more details on how to use these variables.
diff --git a/releasenotes/notes/pin-ipa-requirements-f9566011b2400e6c.yaml b/releasenotes/notes/pin-ipa-requirements-f9566011b2400e6c.yaml
index 9f64be344..5b3b9a52c 100644
--- a/releasenotes/notes/pin-ipa-requirements-f9566011b2400e6c.yaml
+++ b/releasenotes/notes/pin-ipa-requirements-f9566011b2400e6c.yaml
@@ -3,4 +3,4 @@ fixes:
   - |
     Pin requirements for IPA image build to ensure that the ``ironic-lib``
     version matches ``ironic-python-agent``.
-    LP#2089263 <https://bugs.launchpad.net/kayobe/+bug/2089263>`__
+    `LP#2089263 <https://bugs.launchpad.net/kayobe/+bug/2089263>`__