I have set up installed ansible on a server which is an EC2 , the ec2 in which i have installed ansible has the public IP which means its in public subnet. For another configuration I have launched jumpbox server which is in public subnet also. I have launched EC2 on private subnet which is able to access with jumpbox server , I have written a configuration file in .ssh folder of the jumpbox EC2 . Here is a example :
And i have allowed the SG id of jumpbox in Private EC2 SG
I have got some docs where its mentioned to make changes in the inv file , here i did the inv file as follows :
[jumpbox] (its the group)
[test] (its the group)
ansible_ssh_common_args=‘-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand=“ssh -W %h:%p -q ansible@”’
The above file i have written in the ansible server.
I am able to connect to jumpbox with the ansible and able to get ping response but i am unable to connect to private server with the ansible can you help with it . From many days i am stuck with it.
I’d need more time to wrap my head around your setup, but here are a few remarks / questions, top of my head:
- Isn’t your jumpbox the ‘bastion-host’ you’re mentioning in ssh config up there ? If so, why would you define this host on your bastion ssh config, as well as using it for private-ec2 host ? This config file should be on your Ansible control node (the one you’re running Ansible playbooks from). Or I’m missing something ?
- ‘HostName’ fields are empty in your ssh config; why is that ?
- ‘jumpbox’ group is empty in your inventory. If you plan to use it somewhere, as your group vars suppose, your jumpbox / bastion shoud be in there
ansible_ssh_common_args should probably be applied to your remote hosts, not your jumpbox. I think ?
- I’m not sure
ansible@ works in your
ProxyCommand opt. I’m guessing you’d like to authenticate using ‘ansible’ user on your jumpbox using this command, but I think you’d have to specify the host as well, not just the user
Then again, I might be reading all of this wrong.
In comparison, I simply set the
ANSIBLE_SSH_ARGS envvar on my Ansible control node to use our bastion as jumpbox to reach managed nodes with Ansible, like this:
ANSIBLE_SSH_ARGS=-o ProxyJump=my_bastion_host -o User=my_ansible_remote_user -o IdentityFile=my_ansible_private_key_filepath
‘my_bastion_host’ referring to corresponding host in ssh client config on the same machine:
And ‘my_ansible_private_key_filepath’ being the private key file local path I use to login through ssh on my remote / managed node (Ansible targets) using ‘my_ansible_remote_user’.
Note you could use
ProxyCommand instead of
ProxyJump depending on Openssh version you’re using on both client and server.
So please tell me what I misunderstood and we’ll take it from there.