I see that in awx/ tower I have made use of schedules. Naturally I have saved credentials in the job template.
In the windows world with active directory we have group policy that enforces policies so I guess I would like to emulate like that with awx / tower.
I have spoken to a linux engineer about this and they have said that is not a good idea to use saved credentials in Ansible job templates / schedules. If course the jobs I am doing is not impacting…I’d no hard disk setting changes. This is more of a compliance
I would love to hear your thoughts on this and what are the use cases for tower schedules / saved credentials for compliance types of activity.
I’m not sure I understand how exactly you are storing credentials.
If you are creating a new credential object, stored credentials are encrypted and are perfectly safe to use.
If you use plaintext credentials within playbooks themselves, that would be an issue.
What exactly are the concerns your Linux engineer raised?
Dana subota, 27. ožujka 2021. u 05:37:59 UTC+1 korisnik weiye...@gmail.com napisao je:
Basically he was saying that it was better to set up cronjobs on each host to do tasks than to have jobs run from the Ansible AWX host. I personally use Credential objects not vault.
What would be good is to know what the use cases of you guys using schedules . How you handle the credential objects being used for each template and uch Do you use individual credentials or a system one?
Credentials and AWX users are a topic here at my company.
Since this is the AWX forum, I recently setup a Survey Question for the password. So like I have an account on all Windows servers, the credential is stored in CyberArk. I start the playbook, go into CyberArk pull the password at that given time and paste it into the survey question at runtime. So you can only know the password if you have rights via Cyberark and no credential is saved in Ansible AWX for any user to try to get to.