Technotes

Technotes for future me

Running Ansible through SSH Jump / Bastion Host

In a strict secured environment, you may not be allowed to connect to the ansible controlled server directly. Only the bastion host (a.k.a jump host) is the one freely allowed to access all systems. How will you perform your automation tasks in such scenario?

I found a FAQ from Ansible itself. However, scenarios for each people may have different.

Setup SSH access

Following is simple illustration about this connection.

As you can see from the diagram, we need to setup 2 different SSH keys first.

  • SSH key for connecting from Ansible server to the jump / bastion host. This can be user / root key.
  • SSH key from jump / bastion host to all target servers. This can also be either user or root key.

Configure Ansible

Configure the /etc/ansible/ansible.cfg file and enter the path of private key file.

grep private_key_file /etc/ansible/ansible.cfg
private_key_file = ~/.ssh/bastion

Update Host Variables in the inventory

[server]
controlledserver

[server:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no -o ProxyCommand="ssh -W %h:%p -q <user>@bastion"'
ansible_ssh_user=<user>

In this inventory section, you have to define 2 variables. First one is ansible_ssh_common_args and second one is ansible_ssh_user. The common argument parameter will define SSH proxy for all hosts defined under that host group. If you want strict host key checking to be enabled, you can remove the line -o StrictHostKeyChecking=no.

Now, I have defined a parameter ansible_ssh_user. This will tell Ansible that when you connect from jump host to target servers, use that user. If you don’t define any user here, Ansible will assume that you are running the command as root user. If you want to run as root user, then your SSH Key 2 should be root user key of the jump host.

Test the Setup

Simply run ansible <host group> -a "command" to test, if the setup is working or not. See examples below:

Ansible ad-hoc

ansible -i inventory server -a "/usr/bin/uptime"

server | CHANGED | rc=0 >>
 14:50:04 up 54 days, 18:02,  1 user,  load average: 0.07, 0.20, 0.26

Ansible playbook

---
- name: Test Ping
  hosts: server
  # become: True
  # become_user: root
  # gather_facts: false
  tasks:
    - name: Ping test
      ping:

ansible-playbook -i inventory pingtest.yml 

PLAY [Test Ping] *********************************************************************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************************************
ok: [server]

TASK [Ping test] *********************************************************************************************************************************************************
ok: [server]

PLAY RECAP ***************************************************************************************************************************************************************
server          : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Source:
https://www.techbeatly.com/2020/07/running-ansible-through-ssh-jump-bastion-host.html

Last updated on 30 Apr 2021
Published on 11 Apr 2021
Edit on GitHub