Stage 4 · Provision
Secrets & Security
Least-Privilege Automation
Scoped become, restricted keys, and audit trails.
Least-Privilege Principle
Least privilege means granting only the minimum permissions needed to perform a task. In Ansible automation, this means limiting become scope, restricting SSH access, and controlling who can run what playbooks.
Scoped become Usage
---
- name: Least-privilege playbook
hosts: webservers
become: no # Default: no privilege escalation
tasks:
# Non-privileged tasks run as the connect user
- name: Check disk space
ansible.builtin.command: df -h
# No become needed
# Only escalate when necessary
- name: Install package
ansible.builtin.package:
name: nginx
state: present
become: yes
become_user: root
# Different user for different task
- name: Generate application config
ansible.builtin.template:
src: app.conf.j2
dest: /etc/app/config.yml
owner: appuser
group: appuser
mode: "0640"
become: yes
become_user: appuserApply become at the task level for granular control. Each task escalates only as much as needed.
Restricted SSH Keys
# In authorized_keys on managed nodes
# Restrict key to specific commands
command="sudo /usr/bin/ansible-command-wrapper",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAA... ansible-deploy
# In ansible.cfg
[defaults]
private_key_file = ~/.ssh/ansible_deploy_keyRestricted SSH keys limit what the Ansible connection user can do. Even if the key is compromised, damage is limited.
AWX RBAC
# AWX roles (defined in API or Ansible AWX collection)
# Team: Deployers
# - Can execute: deploy-playbook
# - Can execute: rollback-playbook
# - Cannot: delete-inventory, modify-credentials
# Team: Viewers
# - Can view: all job templates
# - Cannot: execute anything
# Team: Admins
# - Can execute: all job templates
# - Can modify: inventories, credentialsAWX RBAC controls who can run playbooks, modify inventories, and access credentials. Enforce separation of duties.
Audit Trails
# Enable Ansible logging in ansible.cfg
[defaults]
log_path = /var/log/ansible/ansible.log
callback_whitelist = timer, profile_tasks
# In AWX, job output is automatically logged
# Job output includes: who ran it, when, what changed, and full task outputEvery playbook run should be traceable. AWX provides built-in audit trails. For standalone Ansible, enable logging and store logs centrally.
The person who writes the playbook should not be the same person who approves and executes it in production. Use AWX workflows with approval gates to enforce this.
Create dedicated service accounts for Ansible automation. Never use personal accounts. This makes audit trails clear and enables key rotation without affecting individuals.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.