For Ansible to effectively manage an Enterprise Linux environment, it must have some form of credentials to access all of the servers it is managing. SSH authentication is normally secured with either SSH keys or passwords, and in a large team of Ansible operators, this can mean everyone has access to those passwords and SSH private keys since they are required for Ansible to be run. Needless to say, this presents a security risk!
As stated previously, from a security standpoint, this is less than desirable as it would be too easy for someone to copy and paste credentials and use them in a manner for which they were not intended. AWX also handles this by storing required credentials in its database, encrypted with a passphrase chosen at installation time. The GUI stores all the credentials using reversible encryption so that they can be passed to Ansible when playbooks are run later on. However, the GUI does not let you see any previously entered sensitive data (such as passwords or SSH private keys)—that is to say that they can be entered and changed, but you cannot show a password or SSH key in the GUI, and hence operators can't easily make use of the AWX frontend to obtain credential information for use elsewhere. In this way, AWX helps enterprises keep their credentials under lock and key and ensures that they are only used for Ansible deployments and are not leaked or used for any other unintended purposes.
Ansible Vault is an excellent tool for encrypting any sensitive data that a playbook needs to operate on, be that for playbook data in the form of variables or storing server credentials themselves, such as an SSH private key. Although Vault is highly secure, it is easy to see the vault contents if you have the vault password (here, you would need to run a playbook that uses the Vault). As a result, AWX provides unique functionality to supplement Ansible and ensure security in an enterprise environment.
In these ways, AWX helps to address many of the challenges that enterprises face when deploying Ansible in a large-scale environment. Before we complete this section of this chapter, we will touch very briefly on how AWX can help you to integrate with other services.