Migration note: Migrated from ADR-0014 on 2026-05-02 per ADR-0047. Original file retained at
docs/adr/0014-ansible-service-account.mdwith deprecation banner.
IAM-0003: IT Ansible Service Account (ansible-svc-account)¶
Sources¶
- ADR-0014: ansible-svc-account dedicated service account pattern (2026-04-02)
| Field | Value |
|---|---|
| ID | IAM-0003 |
| Date | 2026-04-02 |
| Status | Accepted |
| Deciders | Ben Peries |
| Class | security/IAM |
Status¶
Accepted — 2026-04-02
Context¶
Ansible automation requires SSH access to all managed nodes. Running Ansible as a personal user account (e.g., operator) creates audit trail confusion, risks credential exposure in shared contexts, and couples automation to a specific user's SSH config and sudo permissions.
Decision¶
All IT-zone Ansible automation uses a dedicated ansible-svc-account service account on every IT-zone managed node.
AUDIT-DISCOVERABLE: IT Service Account Specification¶
The following parameters are the authoritative specification for the ansible-svc-account IT service account. This block is the single source of truth for compliance and audit purposes.
| Parameter | Value |
|---|---|
| Username | ansible-svc-account |
| UID | Consistent across all nodes (managed by Ansible common role) |
| SSH key path | ~/.ssh/ansible-svc-account (Ed25519) on the dev workstation |
| SSH port | 2222 (hardened, non-default) |
| Sudo | Passwordless (NOPASSWD) for automation tasks |
| Groups | sudo, docker (where Docker is installed) |
| Home directory | /home/ansible-svc-account |
| Key algorithm | Ed25519 |
| Scope | IT nodes only (caneast-site1-node2, caneast-site1-node3, caneast-site1-node4, caneast-site1-node5) |
SSH config (dev workstation)¶
Host caneast-site1-node2
HostName REDACTED
Port 2222
User ansible-svc-account
IdentityFile ~/.ssh/ansible-svc-account
IdentitiesOnly yes
Host caneast-site1-node3
HostName REDACTED
Port 2222
User ansible-svc-account
IdentityFile ~/.ssh/ansible-svc-account
IdentitiesOnly yes
Rationale¶
- Dedicated account creates clean audit trail — all Ansible changes attributed to
ansible-svc-account - Ed25519 key is stronger and shorter than RSA
- Port 2222 reduces noise from automated SSH scanners on port 22
- Passwordless sudo required for unattended Ansible runs (AWX, CI/CD pipelines)
- Account provisioned by the common role — consistent across all nodes
Alternatives Considered¶
- Personal user account (operator): mixes manual and automated changes in audit log
- Root login: violates security best practice, no audit trail granularity
- Per-node service accounts: inconsistent, harder to manage at scale
Consequences¶
- Every new IT node must have
ansible-svc-accountprovisioned before Ansible can manage it - The
ansible-svc-accountSSH public key must be deployed to~/.ssh/authorized_keyson all IT nodes - Personal accounts (
operator) are for interactive use only — never for automation - AWX (Phase 3) will use the same
ansible-svc-accountcredentials
Addendum — 2026-05-02¶
OT scope now governed by IAM-0004.
IAM-0003 covers IT-zone nodes only (caneast-site1-node2-5). OT-zone nodes (caneast-site1-mqtt1 and future
OT nodes) use a separate ansible-ot-svc-account service account (UID REDACTED) per IEC 62443
zone-and-conduit separation requirements.
The ansible-svc-account (IT) account must not be provisioned on OT nodes. The ansible-ot-svc-account
account must not be provisioned on IT nodes.
See IAM-0004 for the full OT specification, three-phase plan, and CISO conditions.
References¶
- IAM-0002: IT/OT zone separation policy
- IAM-0004: OT Ansible service account (ansible-ot-svc-account)
- SECOPS-0001: Purple team tooling (references ansible-svc-account for simulation execution)