If you need to comply with PCI


Requirement 2: Maintain an inventory of system components in scope for PCI DSS
to support effective scoping practices.

You will find that using public-key authentication is sometimes
as it’s almost impossible to ensure employees are rotating the keys, keeping the
private key safe and with a strong password.

Using Ansible without ssh key based authentication is painful if you need to
run a playbook against hundreds of servers, as you will need to insert your
password ad nauseam.

Ansible Vault To The Rescue

“Vault” is a feature of ansible that allows keeping sensitive data such as
passwords or keys in encrypted files.

We can leverage Ansible Vault to keep the user password stored in a safe way:

mkdir group_vars
ansible-vault create group_vars/all.yml

After providing a password (although I am not aware of a way to audit that the
password is good enough), insert all the need Ansible credentials:

ansible_user: <username>
ansible_ssh_pass: <password>
ansible_become_pass: <sudo password>

We can run any Ansible playbook easily:

ansible-playbook -i inventory.ini playbook.yml --ask-vault-pass

Using Ansible Vault we can follow PCI guidelines without jeopardising
productivity or security.