Should I use my personal admin user or create a dedicated 'ansible' user for SSH in Ansible?

I'm starting learining and using ansible and struggling a bit with the user ansible uses for ssh.

Is ansible supposed to use my personal admin user to ssh onto the invetory hosts and escalate priviliges there if needed or is it a better way to create a service user called "ansible" on each inventory host with sudo rights so ansible can use this dedicated user for all of its stuff?

if there is dedicated "ansible" user I could store the private key on the ansible server and limit the ssh ability on the hosts for that user to the asible server ip.

Is there any guideline on how to do that?

This a topic where there is probably no objective best solution and you'll get arguments supporting both options.

I'm strongly opposed to "shared" accounts.

Often more and more people will get access to shared accounts and passwords won't get changed regularly or at all. When people leave/change roles too often they'll still have privileged access, because revoking their personal (admin) accounts and privileges doesn't revoke their access to such shared accounts. Eventually nobody feels accountable for the shared account anymore and/or the impact of changing the password and/or revoking access rights can't be overseen and nobody will want to enter that minefield anymore.

As a security conscious administrator I want to have an audit trail where logins/actions/changes can be attributed to specific team members and administrators.

So when I run a playbook from my workstation, I'll authenticate with my personal account. When my colleague is developing a new playbook, they run them with their own personal credentials. All administrators have full sudo rights already anyway.

In addition to personal accounts we have AWX ; the plays that launched from there will run with the credentials of a specific functional account dedicated to AWX, but there will be an audit trail in AWX with accounting which schedule and/or whom launched the play.

Access to the functional account reserved for AWX access should be restricted ( i.e. with options in the ˜/.ssh/authorized_keys file and/or a User Match in the sshd_config) so even when an admin gets access to the private key used by AWX they can't use it from their own workstation to run/develop playbooks.

Create a dedicated "ansible" user on the remote hosts.

See:

• Ansible: Control User Requirements.

• How can I auth as different users

• Ansible remote_user: root

The best practice is to put your public key into the authorized_keys of this "ansible" user. Create the user and allow a passwordless sudo for the "ansible" user on the remote host.

You don't have to create SSH keys for "ansible" user on the remote hosts. The ssh connection plugin doesn't need it when you connect the "ansible" user on the remote host from the controller.

Q: "What do you mean by "You don't have to create SSH keys for "ansible" user on the remote hosts"? I still need to put down my public key on the remote hosts ansible user ssh config, right?"

A: Right. You need to put your public key into the ansible user file .ssh/authorized_keys on the remote host. For example,

shell> ssh admin@test_11 find .ssh
.ssh
.ssh/authorized_keys

I mean you don't need the SSH keys(e.g. id_rsa, id_rsa.pub) on the remote hosts. For example,

shell> ssh admin@test_12 find .ssh
.ssh
.ssh/authorized_keys
.ssh/id_rsa              <-- not needed
.ssh/id_rsa.pub          <-- not needed
.ssh/known_hosts         <-- not needed

See: SSH Protocol