Ansible With AWS SSM Inventory

Earlier this week, I mentioned that you should prefer AWS SSM over SSH keys.

I use ansible as my configuration management tool of choice.

Here’s a quick guide on how to use AWS SSM with ansible:

We’ll be using the aws ec2 inventory plugin. One thing to note about this plugin that I found out the hard way is all inventory files must end with a suffix of _aws_ec2.yaml or _aws_ec2.yml for it to work.

Of course, your ec2 instances need to have AWS SSM enabled first.

The aws_ec2_inventory works just the same as before. The only thing we need to do to enable AWS SSM connections instead of ssh is set ansible_connection, ansible_aws_ssm_bucket_name, ansible_aws_ssm_region.

A bucket is required:

This plugin requires an S3 bucket to send files to/from the remote instance. This is required even for modules which do not explicitly send files (such as the shell or command modules), because Ansible sends over the .py files of the module itself, via S3.

# development_aws_ec2.yaml 
plugin: aws_ec2
  - us-east-1
  - instance-id
   tag:Environment: development
   tag:Service: <service name>

# playbook.yaml
- hosts: all
  become: true
    ansible_connection: aws_ssm
    ansible_aws_ssm_bucket_name: # a bucket is required
    ansible_aws_ssm_region: us-east-1
  # tasks here

# Run the playbook
ansible-playbook -i ./development_aws_ec2.yaml ./playbook.yaml

That’s all the steps required to set up ansible to use SSM connections instead of ssh.

Join the 80/20 DevOps Newsletter

If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.

Not sure yet? Check out the archive.

Unsubscribe at any time.