Introduction

Ansible Automation Platform 2.6 introduces several security improvements including centralized RBAC, external secret management, and on-premise reporting. This guide covers security best practices for hardening your AAP 2.6 deployment.

Authentication and Access Control

Centralized Authentication

Use the platform gateway for all authentication:

``yaml

Recommended: SAML or OIDC for enterprise SSO

authentication:

type: saml

entity_id: "https://aap.example.com/sso/metadata/"

sso_url: "https://idp.example.com/saml2/sso"

certificate: "/etc/pki/aap/saml-cert.pem"

`

RBAC Best Practices

1. Principle of least privilege — Grant minimum necessary permissions

2. Role-based, not user-based — Assign permissions through roles and teams

3. Regular access reviews — Audit permissions quarterly

4. Separate admin accounts — Don't use admin accounts for day-to-day operations

`yaml

Example: Minimal operator role

  • name: Create restricted operator role

ansible.platform.role:

name: "Restricted Operator"

permissions:

- view_job_template

- execute_job_template

- view_inventory

state: present

`

Secrets Management

External Vault Integration

Always use external secret management in production:

`yaml

Use credential lookups instead of hardcoded values

credentials:

- name: "Database Password"

credential_type: "Vault Lookup"

inputs:

vault_url: "https://vault.example.com"

vault_path: "secret/database/prod"

vault_key: "password"

`

Credential Rotation

Implement automated credential rotation:

  • Service account passwords — every 90 days
  • API tokens — every 30 days
  • SSH keys — every 180 days
  • Vault tokens — short TTLs with auto-renewal

Network Security

TLS Everywhere

Ensure all communication is encrypted:

`yaml

Verify TLS settings

aap_verify_ssl: true

Use valid certificates (not self-signed in production)

web_server_ssl_cert: /etc/pki/tls/certs/aap.crt

web_server_ssl_key: /etc/pki/tls/private/aap.key

`

Network Segmentation

  • Place AAP components in a dedicated network segment
  • Use firewalls to restrict access to required ports only
  • Separate management and execution networks

Audit and Compliance

Enable Audit Logging

AAP 2.6 provides comprehensive audit logs:

  • Job execution history with user attribution
  • Configuration change tracking
  • Authentication events
  • RBAC modifications

Automation Dashboard for Compliance

Use the new automation dashboard to:

  • Track who is running what automation
  • Monitor job success/failure rates
  • Generate compliance reports (PDF/CSV)
  • Demonstrate controls to auditors

Execution Environment Security

Signed Execution Environments

`yaml

Use signed container images

execution_environments:

- name: "Secure EE"

image: "registry.example.com/ee-secure:latest"

pull: always

signature_verification: required

``

Minimal EE Images

Build ex