Playbook can't connect to EC2 instance, but SSH works fine?

New to Ansible but I’m really enjoying working with it so far. I’ve started writing a playbook that creates an EC2 instance and then attempts to connect to it and configure it. For some reason it’s failing to connect, even though it appears to be using the correct key and attempting to connect as the correct user. It’s also using the correct hostname. I turned verbose output on and I still don’t see what the issue is. Can anyone suggest what the issue might be?

I provisioned an EC2 instance and now I want to connect to it:

Here’s my play:

Configure instances

  • include: configure-ireland.yml #This just installs a single package, httpd, nothing fancy
    vars:
    ansible_ssh_user: ec2-user
    ansible_ssh_private_key_file: keys/eric_eu_west_1.pem

Here’s the output of ansible-playbook -vvvvv myplay.yml when it fails to connect to my instance via ssh:

TASK [setup] *******************************************************************
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)
<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> SSH: ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set: (-o)(IdentityFile=“keys/eric_eu_west_1.p
em”)
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi
-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no)
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=ec2-user)
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10)
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> SSH: PlayContext set ssh_common_args: ()
<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)
<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> SSH: ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set: (-o)(IdentityFile=“keys/eric_eu_west_1.$
em”)
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)
<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssap$
-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no)
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> SSH: ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set: (-o)(IdentityFile=“keys/eric_eu_west_1.$
em”)
<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=ec2-user)
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssap$
-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no)
<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10)
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=ec2-user)
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10)
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> SSH: PlayContext set ssh_common_args: ()
<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> SSH: PlayContext set ssh_common_args: ()
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> SSH: PlayContext set ssh_extra_args: ()
<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> SSH: PlayContext set ssh_extra_args: ()
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/campee/.ansible/cp/ansible-ssh-%h-%p-%r)
<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/campee/.ansible/cp/ansible-ssh-%h-%p-%r)
<ec2-54-194-77-121.eu-west-1.compute.amazonaws.com> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o ‘IdentityFile=“keys/eric_eu_west_1.pem”’ -o KbdInte$
activeAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ec2-user -o ConnectTimeout=10 -o C$
ntrolPath=/home/campee/.ansible/cp/ansible-ssh-%h-%p-%r ec2-54-194-77-121.eu-west-1.compute.amazonaws.com ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo $HOME/.ansible/tmp$ ansible-tmp-1477363326.38-254627066289692” && echo ansible-tmp-1477363326.38-254627066289692=“echo $HOME/.ansible/tmp/ansible-tmp-1477363326.38-254627066289692” ) && $sleep 0’“'”‘’

<ec2-54-171-76-221.eu-west-1.compute.amazonaws.com> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o ‘IdentityFile=“keys/eric_eu_west_1.pem”’ -o KbdInte$
activeAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ec2-user -o ConnectTimeout=10 -o C$
ntrolPath=/home/campee/.ansible/cp/ansible-ssh-%h-%p-%r ec2-54-171-76-221.eu-west-1.compute.amazonaws.com ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo $HOME/.ansible/tmp$ ansible-tmp-1477363326.38-141287772563957” && echo ansible-tmp-1477363326.38-141287772563957=“echo $HOME/.ansible/tmp/ansible-tmp-1477363326.38-141287772563957” ) && s
leep 0’“'”‘’
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> SSH: PlayContext set ssh_extra_args: ()
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/campee/.ansible/cp/ansible-ssh-%h-%p-%r)
<ec2-54-194-134-79.eu-west-1.compute.amazonaws.com> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o ‘IdentityFile=“keys/eric_eu_west_1.pem”’ -o KbdInter
activeAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ec2-user -o ConnectTimeout=10 -o Co
ntrolPath=/home/campee/.ansible/cp/ansible-ssh-%h-%p-%r ec2-54-194-134-79.eu-west-1.compute.amazonaws.com ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo $HOME/.ansible/tmp/ ansible-tmp-1477363326.38-145537136827503” && echo ansible-tmp-1477363326.38-145537136827503=“echo $HOME/.ansible/tmp/ansible-tmp-1477363326.38-145537136827503” ) && s
leep 0’“'”‘’
fatal: [ec2-54-194-77-121.eu-west-1.compute.amazonaws.com]: UNREACHABLE! => {“changed”: false, “msg”: “Failed to connect to the host via ssh.”, “unreachable”: true}

But if I run SSH manually, it works just fine:

$ ssh -i keys/eric_eu_west_1.pem ec2-user@ec2-54-171-76-221.eu-west-1.compute.amazonaws.com
Warning: Permanently added ‘ec2-54-171-76-221.eu-west-1.compute.amazonaws.com,54.171.76.221’ (ECDSA) to the list of known hosts.

__| | )
| ( / Amazon Linux AMI
|_|
|

https://aws.amazon.com/amazon-linux-ami/2016.09-release-notes/
3 package(s) needed for security, out of 10 available
Run “sudo yum update” to apply all updates.

My key is chmod 0700:

$ ls -l keys/eric_eu_west_1.pem
-rwx------ 1 campee campee 1696 Oct 23 21:30 keys/eric_eu_west_1.pem

Hi

  1. Ansible is failing to connect to: ec2-54-194-77-121.eu-west-1.compute.amazonaws.com
  2. Your manual SSH test is against a different host: ec2-54-171-76-221.eu-west-1.compute.amazonaws.com

54.194.77.121
vs
54.171.76.221

Was this a typo?

The “unreachable” part means Ansible couldn’t make a network connection to the 54.194.77.121 host. So try a telnet test (telnet 54.194.77.121 22) to see if SSHD is listening on the port.

Regards,
Jinesh