Ansible vs PCI
If you need to to comply with PCI requirements like:
Requirement 2: Maintain an inventory of system components in scope for PCI DSS to support effective scoping practices.
You will find that using public-key authentication is sometimes forbidden as it’s almost impossible to ensure employees are rotating the keys, keeping the private key safe and with a strong password.
Using Ansible without ssh key based authentication is painful if you need to run a playbook against hundreds of servers, as you will need to insert your password ad nauseam.
Ansible Vault To The Rescue
“Vault” is a feature of ansible that allows keeping sensitive data such as passwords or keys in encrypted files.
We can leverage Ansible Vault to keep the user password stored in a safe way:
ansible-vault create group_vars/all.yml
After providing a password (although I am not aware of a way to audit that the password is good enough), insert all the need Ansible credentials:
ansible_become_pass: <sudo password>
We can run any Ansible playbook easily:
ansible-playbook -i inventory.ini playbook.yml --ask-vault-pass
Using Ansible Vault we can follow PCI guidelines without jeopardising productivity or security.