How to Use SSH Keys with Ansible for Secure Server Management?
There are a couple of ways in which you can securely connect to a remote server using Ansible.
- Using the SSH Keys (Public, Private)
- Using the remote server password
Both methods are widely used by DevOps practitioners, and both are secure. But still, if I would like to vote for Using the SSH keys for secure server management,
In this blog post, we are going to take a look at:
- How do I setup your SSH keys?
- How to use SSH keys in Ansible Playbooks?
- Securing your SSH keys in Ansible?
- Troubleshooting the SSH keys issues
1. How do I setup your SSH keys?
Before we start using the SSH keys in our Ansible Playbook it is really important for us to first generate the SSH key pair, which includes both Private and Public keys.
1. Generate an SSH key pair.
To generate the SSH key, you need to use the
keygen utility. Run the following command to generate the SSH keys:
1# Generate the ssh key pair 2# Keys will be generated at - /home/ubuntu/.ssh/.id_rsa 3 4ssh-keygen
2. Locate the Public RSA key.
The default location would be - /home/ubuntu/.ssh/.id_rsa but it varies a lot based on the settings of your remote server.
3. Copy the Public SSH key to the remote server.
After generating the SSH key, you need to copy the public key to the remote server. Use the following command to copy the public key:
1# Replace user_name and remote_host_ip with the appropriate values for your setup. 2 3$ ssh-copy-id user_name@remote_host_ip
4. Manually test the remote server connection
Test the connection from your local machine to the remote server using the SSH key pair. If the connection is successful, you should be logged into the remote server without needing to enter a password.
1$ ssh user@remote_host
2. How to use SSH keys in Ansible Playbooks
After generating the SSH keys, use the following steps for configuring the Inventory Files of your Ansible playbook.
1. Inventory/Hosts File- Here is a screenshot of one my Ansible playbook where I have created a host file.
Here is the content of my hosts file. You need to specify the
ansible_ssh_private_key_file variables for each host, as shown in the example below:
1# id_rsa is my private key. 2 3[default] 4220.127.116.11 ansible_ssh_private_key_file=/Users/rahulwagh/.ssh/id_rsa
2. Create an Ansible Playbook- In your Ansible playbook, define the tasks you want to perform on the remote hosts. The following example will install python on the remote server 18.104.22.168.
1--- 2- name: Update and upgrade packages 3hosts: servers 4become: yes 5tasks: 6- name: installing packages for python env 7become: yes 8apt: 9name: 10- python3-pip 11update_cache: yes
3. Run the Ansible Playbook- This is a crucial part because here you need to carefully pass the hosts/inventory file so that ansible-playbook knows on which server it has to run the playbook using the ansible_ssh_private_key_file.
Here is the ansible playbook command to run the playbook -
1# Path of hosts file : --inventory inventory/vm-setup-playbook/hosts 2ansible-playbook --inventory inventory/vm-setup-playbook/hosts vm-setup-playbook.yml
3. Securing your SSH keys in Ansible
SSH keys are generally secured, but you have to take extra precaution while handling them within the team, so that they do not leak.
Here are the best practices that you should follow for securing the SSH keys in Ansible -
1. Dedicated Keys for Ansible - Do not use common keys for running the Ansible playbook. Use dedicated keys specifically created for Ansible playbooks. This limits the potential impact if a key is compromised and ensures that the keys are only used for their intended purpose.
2. Restrict access to the private key file- You should always use the least privileged principle and only grant access to those users who have access to the remote server and also have permission to make changes to the server using the Ansible playbook.
3. Use Ansible Vault - An secure Ansible Vault is a safe place to store secret information, such as private key files. This gives your SSH keys and other private information in your playbooks an extra layer of security.
Follow these steps to use Ansible Vault:
a. Install Ansible Vault: Ensure that the ansible-vault command-line utility is installed on your local machine.
b. Create an encrypted vault file: Create a new encrypted vault file*** to store your private SSH key. Replace vault_password_file with the path to a file containing your desired vault password.
1$ ansible-vault create --vault-password-file vault_password_file private_key_vault.yml
4. Troubleshooting the SSH keys issues
Here are some of the most common issues related to SSH Keys which you might face while working with the Ansible playbook. -
1. Permission on SSH Key- Always make sure that the private key file has the correct permission assigned. As a thumb rule, keep the default read permission on the private key file.
2. Test the remote server's SSH Connection - Manually test the remote server's SSH connection using the following command, so that you know that you are using the correct SSH keys.
1# SSH command to test a remote server connection 2# Replace the user and remote_host with your desired server configuration. 3 4$ ssh user@remote_host
3. Ansible verbose- To extend the ansible playbook troubleshooting, you should add the -vvv verbose flag, so that you can get more detailed logs while running the playbook.
1# Add the -vvv flag at the end of the ansible playbook command. 2 3$ ansible-playbook -i inventory.ini update_and_upgrade.yml -vvv
4. Check the remote server log- The last troubleshooting step would be to check the logs on the remote server. Here is an example path for a log file for a based system:
1# Check the latest 50 logs of auth.log 2 3$ sudo tail -n 50 /var/log/auth.log
I hope this blog post will help you get a better understanding of how to use SSH keys with your Ansible playbook and what the best practices are for securing the SSH keys.
By adding SSH key authentication to your playbooks, you can make your automation processes much more secure and make sure that your infrastructure is handled in a reliable and efficient way.
Posts in this Series
- How to Use SSH Keys with Ansible for Secure Server Management?
- Why YAML is so important in Ansible?
- Clone Public and Private Git Repositories with Ansible
- How to Limit Ansible playbook on Hosts, Groups and multiple hosts?
- Easy Fix for 'zsh command not found ansible' Error After Installing Ansible with Pip
- Demystifying Hosts, Inventory Roles, and Tasks
- Fixing-Unable to start service apache2 Job for apache2.service failed because the control process exited with error code?
- Why Ansible is the Ultimate Tool for DevOps Teams - A Beginner's Guide?
- Ansible how to fix destination path already exists and is not an empty directory?
- Install Ansible on MacOS, Windows, Ubuntu(debian) and Fedora(rpm) - Part 1