Stage 4 · Provision
Secrets & Security
Supply-Chain Safety
Signing content, pinning collections, and trusted sources.
Supply Chain Risks
Ansible automates with privileges. If a malicious role or collection is installed, it can compromise your entire infrastructure. Supply-chain attacks target the tools and dependencies you trust.
Pinning Versions
---
roles:
- name: geerlingguy.nginx
version: "3.1.0" # Exact version, not range
- name: geerlingguy.docker
version: "6.1.0"
collections:
- name: community.general
version: "7.2.0" # Exact version
- name: community.docker
version: "5.0.0"
# NEVER use these in production
# version: latest # Unpinned — unpredictable
# version: ">=7.0.0" # Range — may pull new versionsPin exact versions in production. Use ranges only in development. This prevents unexpected behavior from updated dependencies.
Signing Content
# Sign a role before publishing
ansible-galaxy role sign --signing-key /path/to/key.pem my-role
# Verify a role signature
ansible-galaxy role verify --keyring /path/to/pubring.gpg my-role
# Install with signature verification
ansible-galaxy role install --required-signature-count 1 my-roleSigning ensures content has not been tampered with since the author published it. Verify signatures before installing from public sources.
Trusted Sources
| Source | Trust Level | Recommendation |
|---|---|---|
| Verified Galaxy authors | Medium | Check author reputation and reviews |
| Forked repos | High | Fork and maintain your own copy |
| Internal library | Highest | Your team controls the code |
| Random GitHub | Low | Audit thoroughly before use |
Verifying Content
# Step 1: Check the role's meta/main.yml
# Look for: galaxy_info, dependencies, license
# Step 2: Review the role's tasks
# Read every file in tasks/ for suspicious commands
# Watch for: shell, command, uri, get_url with external URLs
# Step 3: Check for hidden files
# ls -la the role directory
# Step 4: Install in a sandbox first
ansible-galaxy role install -p /tmp/test-role my-role
cat /tmp/test-role/my-role/tasks/main.ymlAlways audit roles before installing. Look for shell commands, network calls, or file operations that seem suspicious.
A single malicious role can compromise your entire fleet. Only install content from trusted authors, review code before use, and pin versions in production.
Create an approved roles and collections list. Only install from this list. This is your supply-chain policy enforced through requirements.yml.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.