Running Ansible through SSH Jump / Bastion Host
In a strict secured environment, you may not be allowed perform tasks freely. Only the bastion host (a.k.a jump host) is the one freely allowed to access all systems. In some scenarios restricted environment access is via only through jump host. How will you perform your automation tasks in such scenario?
I was in search for an answer and found a FAQ from Ansible itself. However, scenarios for each people may have different. So, this write is will help you to understand, how to setup properly.
Setup SSH access
Following is simple illustration about this connection.
As you can see from the diagram, we need to setup 2 different SSH keys first.
- SSH key for connecting from Ansible server to the jump / bastion host. This can be user / root key
- SSH key from jump / bastion host to all target servers. This can also be either user or root key.
Due to security reasons, it is advised to use user key from the jump host to target servers. If you setup root key, any user who can become root user jump host can access these servers and can do anything.
You can also use 2 different users for this purpose. As an example, user1 can be used for SSH from Ansible host to jump host and user2 can be used for connecting from jump host to all target servers.
You must export the private key file ( SSH Key 2) and copy it into safe location in Ansible server.
Now you have to configure
/etc/ansible/ansible.cfg file enter the path of private key file you copied from jump host
This is all you need to do as a configuration change.
Update Host Variables
You now need to update host variables.
In this section, you have to define 2 variables. First one is
ansible_ssh_common_args and second one is
ansible_ssh_user. The common argument parameter will define SSH proxy for all hosts defined under that host group. If you want strict host key checking to be enabled, you can remove the line
-o StrictHostKeyChecking=no, as shown above. Otherwise you can leave that as it may help if you have any failure with running playbooks.
In this example, I used root user to jump from Ansible host to jump host. So my SSH Key 1 is a root user key.
Now, I have defined a parameter
ansible_ssh_user. This will tell Ansible that when you connect from jump host to target servers, use that user. If you don’t define any user here, Ansible will assume that you are running the command as root user. If you want to run as root user, then your SSH Key 2 should be root user key of the jump host.
That’s it. Now you can run a test
Test the Setup
ansible <host group> -a "command" to test, if the setup is working or not.
As you can see my test run is successful for the test machines. You can ignore the python related warning as that’s just my local machine issue.
become parameter to execute privileged commands, when you run the Ansible playbook with normal user option. A sample playbook shown below for reference.