So storing the password on your control host and passing it into the mysql module’s login_password option won’t work?
Or just running the mysql module locally and having it connect remotely to the mysql host? On Jan 10, 2014, at 18:15 , Stan Lemon <[email protected]> wrote: > So this is a PCI compliant environment. I hit similar issues when I worked > in health care though and we were trying to meet HIPPA compliance with our > hardware. Auditors just didn’t want access credentials on the same box, so > with that company we were able to have puppet handle them and because the > puppet master was somewhere else the auditors didn’t care. It’s dumb > reasoning, but it’s the way these industries work. > > So I can have passwords in my ansible playbooks, that’s tolerable. I just > can’t put the password on the box itself. That is most likely a pretty > uniform requirement, with the exception of application configuration to > connect to said database. > > Thanks for your help on this. > > -- > Stan Lemon > > > On January 10, 2014 at 1:25:01 PM, Peter Gehres > ([email protected]) wrote: > >> I don’t think ciphertext + decryption key would fly either. I agree with >> you that both this 0600 on the root should be sufficient, but often times >> the audits in these regulated environments defy rationale arguments. >> >> Sadly, I thought that might be your answer. Does this only apply to the root >> password? >> >> If you can share, what framework are you being audited under? You've got me >> playing cat-and-mouse with the auditors in my head. :-) >> >> Have you solved this problem outside of Ansible anywhere as part of an >> automation routine? >> >> >> >> -- >> Peter Gehres >> Site Reliability Engineer | AppDynamics, Inc. >> www.appdynamics.com | AS62897 >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
