How to get Ansible to connect over a bastion

In a current project I have been facing some issues with ansible connecting through a bastion using the right keys.

So I went digging. Turn out by default it’s trying out some default set of keys but it wasn’t using the right key for this host (the key doesn’t have any standard name, which didn’t help)

So after hacking something around using the ssh config file I went for look for a way to fix that stuff.

In ansible.cfg specify

1
2

[ssh_connection]
ssh_args = -F ./ssh.cfg

This allow us to have a config file at the project level, which mean it can be commit to the repo and shipped with the rest of the ansible code.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# Decoupling identity
import identity.cfg

Host bastion
  Hostname localhost
  Port 2222
  User devops


Host *
  ControlMaster auto
  ControlPath /tmp/%h-%r
  ControlPersist 5m
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no

Note the import identity.cfg - this will help us to allow for local identity switch after with git.

1
2
3

Match User devops
  IdentityFile ~/.ssh/id_rsa

Let’s test - here is a playbook to check the connectivity

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

---
- name: Accessing the remote target and jumpboxes
  hosts: all
  become: false
  gather_facts: false

  tasks:

    - name: Simple ping showing connectivity
      ping:

...

Resources

• ssh - Ansible provisioning over jump server with different private keys - Sta…
• Ansible with a bastion host / jump box? - Stack Overflow