Ansible uses SSH to run the playbook files against the remote host machines, and sometimes those host machines are EC2 instances running on AWS. For my project this week, my team and I created a web server on an EC2 instance and to do so, it was my job to create the playbook that added our public ssh keys to the server and configured ssh to authenticate with RSA public/private keys, run that playbook, and then run my teammates playbook to install the webserver. To do this, I had to have access to the private key that was generated by the EC2 instance when it was created. When the EC2 instance is created, that is the only time you can download the private key .pem file. Once I had that file, I stored it in my ansible folder since this was only a test project and I was only going to use the key a few times. At this point I changed permissions to the privatekey.pem to 600.

chmod 600 privatekey.pem

After that, I had to go into the host file for ansible and add in the EC2 instance and a few other parameters to let ansible have ssh access to the server. Here’s what an example of the lines I had to add to the host file should look like:

[webservers]
ec2-54-12-244-22-west-1.compute.amazonaws.com ansible_user=ubuntu ansible_ssh_private_key_file=/etc/ansible/privatekey.pem

Breakdown of the host configuration:

  • [webservers] : this is the group that the ec2 instance can be referenced by in the ansible playbook file.
  • ec2-54-12-244-22-west-1.compute.amazonaws.com : this is the server domain of the host.
  • ansible_user=ubuntu : this is the user I’d like to login as.
  • ansible_ssh_private_key_file=/etc/ansible/privatekey.pem : this is the path to the private key I’m using to access the server through ssh.

After I privided this information I was able to run my ssh.yml playbook that would add the needed users, their admin permissions, and their public keys to the server. From here on, I no longer needed to use the private key that was given to me from the EC2 instance creation. For good practice, it is a good idea not to use that private key given from the EC2 instance when it can be avoided. From here on, I configured the host file to use my personal private key I generated with ssh-keygen and changed it to the following:

[webservers]
ec2-54-12-244-22-west-1.compute.amazonaws.com ansible_user=garrett ansible_ssh_private_key_file=/home/garrett/keys/privatekey

From this code snippet, as you can see, I’ve changed the user to my user which was created from the playbook and I’m using my key that goes with the public key that I added to the server. From here on, I can run the ansible playbook command with an extra parameter that will allow me to use my sudo password to run the commands needed in the playbook. That command is shown here:

ansible-playbook playbook.yml --extra-vars "ansible_sudo_pass=mypassword"

I added the extra variable, “ansible_sudo_pass” when running this command so that it would use my password, when otherwise it would’ve errored out and denied my permission. This way of referencing that ansible allows in the host file is very efficient in my opinion and very easy to work with once you get the hang of it.