My reading of the PCI DSS requirements are that these accounts refer to user accounts rather than process accounts. I have disabled access to the ansible account(s) via password and ensured that only sshkey access is granted. This means that the sshkey is king and must not be stolen of course. You could also try restricting the ansible account(s) to access servers only from specific hosts (i.e. your ansible servers) to make life a little harder for anyone who manages to get their hands on the keys.
My last place went through exactly this dilema when rolling out HPSA to govern user access. All ssh access had to be blocked, but we made the case for the ansible account(s) to IT Security and they were happy with the lock-down we gave the accounts. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c9d19a86-7bf2-4617-a92b-964f6808d8c2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
