Role-Based Access Control and Privilege Management

2 min read Infrastructure & DevOps Security

Role-Based Access Control and Privilege Management

Implementing proper access controls for Ansible infrastructure prevents unauthorized automation execution and limits blast radius from compromised accounts. Ansible Tower (now AWX) and Red Hat Ansible Automation Platform provide enterprise-grade RBAC capabilities, but even community Ansible deployments can implement effective access controls.

SSH key management forms the foundation of Ansible access control. Each automation user should have unique SSH keys with appropriate restrictions. Implement SSH key rotation policies and use SSH certificates where possible. Configure SSH daemon settings to enforce key-based authentication and disable password authentication.

# Example playbook for implementing SSH security hardening
---
- name: Harden SSH configuration for Ansible access
  hosts: all
  become: yes
  tasks:
    - name: Configure SSH daemon settings
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        validate: 'sshd -t -f %s'
      with_items:
        - regexp: '^#?PermitRootLogin'
          line: 'PermitRootLogin no'
        - regexp: '^#?PasswordAuthentication'
          line: 'PasswordAuthentication no'
        - regexp: '^#?PubkeyAuthentication'
          line: 'PubkeyAuthentication yes'
        - regexp: '^#?PermitEmptyPasswords'
          line: 'PermitEmptyPasswords no'
        - regexp: '^#?MaxAuthTries'
          line: 'MaxAuthTries 3'
        - regexp: '^#?ClientAliveInterval'
          line: 'ClientAliveInterval 300'
      notify: restart sshd

    - name: Configure allowed users for SSH
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?AllowUsers'
        line: 'AllowUsers ansible deploy'
        state: present
      notify: restart sshd

    - name: Set up ansible user with restricted sudo
      user:
        name: ansible
        groups: wheel
        shell: /bin/bash
        
    - name: Configure sudo access for ansible user
      copy:
        content: |
          ansible ALL=(ALL) NOPASSWD: /usr/bin/systemctl, /usr/bin/yum, /usr/bin/dnf
          ansible ALL=(ALL) NOPASSWD: /bin/cp, /bin/mv, /bin/chmod, /bin/chown
        dest: /etc/sudoers.d/ansible
        mode: '0440'
        validate: 'visudo -cf %s'

  handlers:
    - name: restart sshd
      service:
        name: sshd
        state: restarted

Privilege escalation in playbooks requires careful consideration. While Ansible's become feature enables privilege escalation when needed, unrestricted sudo access creates security risks. Implement granular sudo rules that limit commands available to the Ansible user. Use become only when necessary and specify the minimum required privileges.