Right now I just manually SSH into a box in our cluster and run ansible.
But I want to automate this… Ideally I could just bump the version number in my code when I want it released… and 2 minutes later it would be staged, tested, and deployed.
But the issue is SSH auth… many of my daemons need root. I don’t necessarily want to have keys just sitting there giving anyone full access to my cluster.
So a very good option for key management would be ansible tower - http://ansible.com/tower
Let Tower hold on to your key, and nobody will see it. It will use ssh-agent behind the scenes (your key may be locked with a password or not) and only allow that key to be used for running Ansible playbooks.
(The key is saved encrypted in the database)
I’d also consider setting things up so something like an “ansible” user can sudo. It isn’t strictly required, but might help a little bit with tracking who does what.
(Tower also keeps good logs of this)
The SSH issue is still an issue if I"m letting this daemon run as root on tower, because anyone can just inject code if they can break into this box…
Not really.
Any config tool does need to actually configure the box, however Tower has role based access control that you can use to restrict WHO can configure the box.
Further, you can also control access to your source control so only certain people should have access to your playbooks.
You can allow some users you don’t trust to deploy into test/stage environments, and only allow ops team members you trust to deploy into prod.
And that exists with every single configuration tool on the planet – needing to be able to configure the system – and is not a SSH key specific kind of thing.
i think he meant unauthorized access to the tower machine. Either way, thats a bigger issue.
"i think he meant unauthorized access to the tower machine. Either way, thats a bigger issue. "
Yeah, it’s not really possible to have unauthorized access to the Tower machine, unless you have a physical access problem.
well lets hope for the best on the first 
but yeah, physical access = game over