Ansible With AWS SSM Inventory

Earlier this week, I mentioned that you should prefer AWS SSM over SSH keys.

I use ansible as my configuration management tool of choice.

Here’s a quick guide on how to use AWS SSM with ansible:

We’ll be using the aws ec2 inventory plugin. One thing to note about this plugin that I found out the hard way is all inventory files must end with a suffix of _aws_ec2.yaml or _aws_ec2.yml for it to work.

Of course, your ec2 instances need to have AWS SSM enabled first.

The aws_ec2_inventory works just the same as before. The only thing we need to do to enable AWS SSM connections instead of ssh is set ansible_connection, ansible_aws_ssm_bucket_name, ansible_aws_ssm_region.

A bucket is required:

This plugin requires an S3 bucket to send files to/from the remote instance. This is required even for modules which do not explicitly send files (such as the shell or command modules), because Ansible sends over the .py files of the module itself, via S3.

# development_aws_ec2.yaml 
plugin: aws_ec2
regions:
  - us-east-1
hostnames: 
  - instance-id
filters:
   tag:Environment: development
   tag:Service: <service name>


# playbook.yaml
---
- hosts: all
  become: true
  vars:
    ansible_connection: aws_ssm
    ansible_aws_ssm_bucket_name: # a bucket is required
    ansible_aws_ssm_region: us-east-1
  tasks:
  # tasks here

# Run the playbook
ansible-playbook -i ./development_aws_ec2.yaml ./playbook.yaml

That’s all the steps required to set up ansible to use SSM connections instead of ssh.