Skip to content

ADR-0014: ansible-svc-account dedicated service account pattern

Status

Accepted — 2026-04-02

Context

Ansible automation requires SSH access to all managed nodes. Running Ansible as a personal user account (e.g., operator) creates audit trail confusion, risks credential exposure in shared contexts, and couples automation to a specific user's SSH config and sudo permissions.

Decision

All Ansible automation uses a dedicated ansible-svc-account service account on every managed node.

Account specification

  • Username: ansible-svc-account
  • UID: consistent across all nodes (managed by Ansible common role)
  • SSH key: ~/.ssh/ansible-svc-account (Ed25519) on the dev workstation
  • SSH port: 2222 (hardened, non-default)
  • Sudo: passwordless for automation tasks
  • Groups: sudo, docker (where Docker is installed)
  • Home: /home/ansible-svc-account

SSH config (dev workstation)

Host caneast-c1-node2
    HostName caneast-c1-node2
    Port 2222
    User ansible-svc-account
    IdentityFile ~/.ssh/ansible-svc-account
    IdentitiesOnly yes

Host caneast-c1-node3
    HostName caneast-c1-node3
    Port 2222
    User ansible-svc-account
    IdentityFile ~/.ssh/ansible-svc-account
    IdentitiesOnly yes

Rationale

  • Dedicated account creates clean audit trail — all Ansible changes attributed to ansible-svc-account
  • Ed25519 key is stronger and shorter than RSA
  • Port 2222 reduces noise from automated SSH scanners on port 22
  • Passwordless sudo required for unattended Ansible runs (AWX, CI/CD pipelines)
  • Account provisioned by the common role — consistent across all nodes

Alternatives considered

  • Personal user account (operator): mixes manual and automated changes in audit log
  • Root login: violates security best practice, no audit trail granularity
  • Per-node service accounts: inconsistent, harder to manage at scale

Consequences

  • Every new node must have ansible-svc-account provisioned before Ansible can manage it
  • The ansible-svc-account SSH public key must be deployed to ~/.ssh/authorized_keys on all nodes
  • Personal accounts (operator) are for interactive use only — never for automation
  • AWX (Phase 3) will use the same ansible-svc-account credentials