How to Run Ansible Playbook using a public ssh key

ansibleansible-inventory

I'm trying to run my Ansible playbook on a remote server using a provided ssh key.

I have added the following configuration to my inventory file:

all:
  hosts:
    server1:
      ansible_host: sample.server@noname.com
      dest_dir: /root
      sample_tree: sample_tree.txt
      private_key_file: ../config/id_rsa_tf

I have referenced it in my playbook using the following:

- name: "Nightly Deploy"
  hosts: server1
  remote_user: sysuser
  tasks:
    - name: Copy test from local to remote
      tags:
        - copy
        - all
      copy:
        src: "test.tgz"
        dest: "{{ dest_dir }}/test.tgz"

I am running the playbook with the following command:

ansible-playbook --tags="copy" -v -i inventories/nightly-build.yaml playbooks/nightly-build.yaml

The error I'm getting is the following:

fatal: [server1]: UNREACHABLE! => {"changed": false, "msg": "Failed to
connect to the host via ssh: Permission denied (publickey,gssapi- keyex,gssapi-with-mic,password).", "unreachable": true}

Is my private_key_file wrong in my inventory file or am I calling it wrong? and help would be great

Best Answer

This error usually occurs when there is no valid public and private key generated and setup.

Try any of the following approaches:

Create/edit your ansible.cfg file in your playbook directory and add a line for the full path of your key:
```
[defaults]
privatekeyfile = /Users/username/.ssh/private_key        
```
It sets private key globally for all hosts in your playbook.

Add the private key to your playbook using the following line:

vars:
  ansible_ssh_private_key_file: "/home/ansible/.ssh/id_rsa"

You can also define the private key to use directly in command line:

ansible-playbook -vvvv --private-key=/Users/you/.ssh/your_key playbookname.yml

Related Solutions

How to define private SSH keys for servers in dynamic inventories

TL;DR: Specify key file in group variable file, since 'tag_Name_server1' is a group.

Note: I'm assuming you're using the EC2 external inventory script. If you're using some other dynamic inventory approach, you might need to tweak this solution.

This is an issue I've been struggling with, on and off, for months, and I've finally found a solution, thanks to Brian Coca's suggestion here. The trick is to use Ansible's group variable mechanisms to automatically pass along the correct SSH key file for the machine you're working with.

The EC2 inventory script automatically sets up various groups that you can use to refer to hosts. You're using this in your playbook: in the first play, you're telling Ansible to apply 'role1' to the entire 'tag_Name_server1' group. We want to direct Ansible to use a specific SSH key for any host in the 'tag_Name_server1' group, which is where group variable files come in.

Assuming that your playbook is located in the 'my-playbooks' directory, create files for each group under the 'group_vars' directory:

my-playbooks
|-- test.yml
+-- group_vars
     |-- tag_Name_server1.yml
     +-- tag_Name_server2.yml

Now, any time you refer to these groups in a playbook, Ansible will check the appropriate files, and load any variables you've defined there.

Within each group var file, we can specify the key file to use for connecting to hosts in the group:

# tag_Name_server1.yml
# --------------------
# 
# Variables for EC2 instances named "server1"
---
ansible_ssh_private_key_file: /path/to/ssh/key/server1.pem

Now, when you run your playbook, it should automatically pick up the right keys!

Using environment vars for portability

I often run playbooks on many different servers (local, remote build server, etc.), so I like to parameterize things. Rather than using a fixed path, I have an environment variable called SSH_KEYDIR that points to the directory where the SSH keys are stored.

In this case, my group vars files look like this, instead:

# tag_Name_server1.yml
# --------------------
# 
# Variables for EC2 instances named "server1"
---
ansible_ssh_private_key_file: "{{ lookup('env','SSH_KEYDIR') }}/server1.pem"

Further Improvements

There's probably a bunch of neat ways this could be improved. For one thing, you still need to manually specify which key to use for each group. Since the EC2 inventory script includes details about the keypair used for each server, there's probably a way to get the key name directly from the script itself. In that case, you could supply the directory the keys are located in (as above), and have it choose the correct keys based on the inventory data.

R – How to check which program runs inside gnome-terminal

Get the gnome terminal PID, and check which processes have this number as PPID.

I have answered a very similar question few days ago, see this link for details.

Best Answer

Related Solutions

How to define private SSH keys for servers in dynamic inventories

R – How to check which program runs inside gnome-terminal

Related Topic