Ansible vs PCI

If you need to to comply with PCI requirements like:

Requirement 2: Maintain an inventory of system components in scope for PCI DSS to support effective scoping practices.

You will find that using public-key authentication is sometimes forbidden as it’s almost impossible to ensure employees are rotating the keys, keeping the private key safe and with a strong password.

Using Ansible without ssh key based authentication is painful if you need to run a playbook against hundreds of servers, as you will need to insert your password ad nauseam.

Ansible Vault To The Rescue

“Vault” is a feature of ansible that allows keeping sensitive data such as passwords or keys in encrypted files.

We can leverage Ansible Vault to keep the user password stored in a safe way:

mkdir group_vars
ansible-vault create group_vars/all.yml

After providing a password (although I am not aware of a way to audit that the password is good enough), insert all the need Ansible credentials:

ansible_user: <username>
ansible_ssh_pass: <password>
ansible_become_pass: <sudo password>

We can run any Ansible playbook easily:

ansible-playbook -i inventory.ini playbook.yml --ask-vault-pass

Using Ansible Vault we can follow PCI guidelines without jeopardising productivity or security.