diff --git a/awx/main/migrations/0118_galaxy_credentials.py b/awx/main/migrations/0118_galaxy_credentials.py
index f61434d7d1..c46fd962a7 100644
--- a/awx/main/migrations/0118_galaxy_credentials.py
+++ b/awx/main/migrations/0118_galaxy_credentials.py
@@ -1,9 +1,89 @@
 # Generated by Django 2.2.11 on 2020-08-04 15:19
 
+import logging
+
 import awx.main.fields
+from awx.main.utils.encryption import encrypt_field, decrypt_field
+
 from django.db import migrations, models
+from django.utils.timezone import now
 import django.db.models.deletion
 
+from awx.main.models import CredentialType as ModernCredentialType
+from awx.main.utils.common import set_current_apps
+
+logger = logging.getLogger('awx.main.migrations')
+
+
+def migrate_galaxy_settings(apps, schema_editor):
+    set_current_apps(apps)
+    ModernCredentialType.setup_tower_managed_defaults()
+    Organization = apps.get_model('main', 'Organization')
+    CredentialType = apps.get_model('main', 'CredentialType')
+    Credential = apps.get_model('main', 'Credential')
+    Setting = apps.get_model('conf', 'Setting')
+
+    galaxy_type = CredentialType.objects.get(kind='galaxy')
+    private_galaxy_url = Setting.objects.filter(key='PRIMARY_GALAXY_URL').first()
+
+    # by default, prior versions of AWX/Tower automatically pulled content
+    # from galaxy.ansible.com
+    public_galaxy_enabled = True
+    public_galaxy_setting = Setting.objects.filter(key='PUBLIC_GALAXY_ENABLED').first()
+    if public_galaxy_setting and public_galaxy_setting is False:
+        # ...UNLESS this behavior was explicitly disabled via this setting
+        public_galaxy_enabled = False
+
+    for org in Organization.objects.all():
+        if private_galaxy_url and private_galaxy_url.value:
+            # If a setting exists for a private Galaxy URL, make a credential for it
+            username = Setting.objects.filter(key='PRIMARY_GALAXY_USERNAME').first()
+            password = Setting.objects.filter(key='PRIMARY_GALAXY_PASSWORD').first()
+            if (username and username.value) or (password and password.value):
+                logger.error(
+                    f'Specifying HTTP basic auth for the Ansible Galaxy API '
+                    f'({private_galaxy_url.value}) is no longer supported. '
+                    'Please provide an API token instead after your upgrade '
+                    'has completed',
+                )
+            inputs = {
+                'url': private_galaxy_url.value
+            }
+            token = Setting.objects.filter(key='PRIMARY_GALAXY_TOKEN').first()
+            if token and token.value:
+                inputs['token'] = decrypt_field(token, 'value')
+            auth_url = Setting.objects.filter(key='PRIMARY_GALAXY_AUTH_URL').first()
+            if auth_url and auth_url.value:
+                inputs['auth_url'] = auth_url.value
+            cred = Credential(
+                created=now(),
+                modified=now(),
+                name=f'Private Galaxy ({private_galaxy_url.value})',
+                organization=org,
+                credential_type=galaxy_type,
+                inputs=inputs
+            )
+            cred.save()
+            if token and token.value:
+                # encrypt based on the primary key from the prior save
+                cred.inputs['token'] = encrypt_field(cred, 'token')
+                cred.save()
+            org.galaxy_credentials.add(cred)
+        if public_galaxy_enabled:
+            # If public Galaxy was enabled, make a credential for it
+            cred = Credential(
+                created=now(),
+                modified=now(),
+                name='Ansible Galaxy',
+                organization=org,
+                credential_type=galaxy_type,
+                inputs = {
+                    'url': 'https://galaxy.ansible.com/'
+                }
+            )
+            cred.save()
+            org.galaxy_credentials.add(cred)
+
 
 class Migration(migrations.Migration):
 
@@ -31,4 +111,5 @@ class Migration(migrations.Migration):
             name='galaxy_credentials',
             field=awx.main.fields.OrderedManyToManyField(blank=True, related_name='organization_galaxy_credentials', through='main.OrganizationGalaxyCredentialMembership', to='main.Credential'),
         ),
+        migrations.RunPython(migrate_galaxy_settings)
     ]
diff --git a/awx/main/models/credential/__init__.py b/awx/main/models/credential/__init__.py
index be4a21a99d..9756fd1639 100644
--- a/awx/main/models/credential/__init__.py
+++ b/awx/main/models/credential/__init__.py
@@ -1177,13 +1177,13 @@ ManagedCredentialType(
 ManagedCredentialType(
     namespace='galaxy_api_token',
     kind='galaxy',
-    name=ugettext_noop('Ansible Galaxy Automation Hub API Token'),
+    name=ugettext_noop('Ansible Galaxy/Automation Hub API Token'),
     inputs={
         'fields': [{
             'id': 'url',
             'label': ugettext_noop('Galaxy Server URL'),
             'type': 'string',
-            'help_text': ugettext_noop('The URL of the galaxy instance to connect to.')
+            'help_text': ugettext_noop('The URL of the Galaxy instance to connect to.')
         },{
             'id': 'auth_url',
             'label': ugettext_noop('Auth Server URL'),