We have Ansible in our organisation which deploys software across our Development servers.
IT Security recently CyberArk’d each of the Development servers and now Ansible cannot log into each of the machines (not even as ‘root’).
When I try manually to SSH as ‘root’ with the password from CyberArk (copied and pasted) I’m still unable to log on. The only way to open a session as ‘root’ is from within CyberArk.
I read about AIM agents but my understanding is that all that this will do is retrieve the password from CyberArk and pass it back to Ansible.
In other words, how will this help me for as long as the servers are Unreachable and I cannot even SSH from one machine to another not even as ‘root’ ?
Am I going about this the right way or is it possible that additional security been added (such as firewalls) which I am unaware of ?
Disclaimer: I’ve never used the CyberArk suite so I’m not aware of all options it might have. Other tools I have used had their own replacement for “ssh” that had to be used and provided a similar experience. (But that was in a pre-Ansible world about 15 years ago so…)
Your question really sounds like your CyberArk engineers need to talk with you and your managers on how they will permit you to continue to do work while increasing security It might be that they are now requiring specific “ssh enabled” accounts instead of your usual method of gonig in straight as root. Connecting to a server as root is a bad idea - you should use a regular account and use “sudo” (e.g. ‘become’ in Ansible) to perform commands with root permissions.
If they truly locked things down so you must use the CyberArk GUI/tool and don’t have a ssh option at all then you’re probably out of luck.