It allows us to use centralized Jenkins servers that run Ansible (and Terraform in our case for the actual AWS provisioning with Ansible is just used to configure EC2 instances and run its ad-hoc playbooks for administrative tasks).We can then control access to these Jenkins servers through credentials and/or security groups/NACLs. Doing it this way means we can control the amount of people who have some form of credentials that would allow them to build anything they like and/or destroy anything they like. Ideally, we would only provide credentials to the Jenkins servers via IAM EC2 instance roles but we're not quite there yet. One real positive out of this is that our front line/second line support guys who use Windows pretty much exclusively can access a nice web GUI for managing things in the middle of the night and run Jenkins jobs that they specifically have access to run that will do things such as restarting a server/service or even rebuilding part of a VPC. We've got a separate 'dev' account that developers have access to from their own machines and it's here that we build things out as we develop our Ansible (and Terraform) code base before that code base is then used in our test and production environments.