Secure Your Ansible Connections: Setting Up SSH Key-Based Authentication on AWS

Rushikesh ManeRushikesh Mane
5 min read

Section 1: Launch EC2 Instances on AWS

Step 1 : Launch 5 EC2 Instances

  1. Go to EC2 > Instances > Launch Instances

  2. Choose Ubuntu Server 20.04 LTS

  3. Instance type: t2.micro (free tier)

Section 2: Set Password-Based SSH Access for All EC2 Instances

In this section, we’ll configure all 5 EC2 Ubuntu instances (1 Master, 3 Slaves) to support password-based SSH login. This is required because Ubuntu instances by default do not allow password login.

Step 2.1: Connect to Each EC2 Instance

Use your .pem file to SSH into each instance with MobaXterm

Step 2.2: Set a Password for the ubuntu User

Run the following command in each instance:

sudo passwd root

Set a strong password like MySecurePass123.

Step 2.3: Enable Password Authentication in SSH Config

Edit the SSH configuration file:

sudo vim /etc/ssh/sshd_config

Uncomment or update the following lines 38 and 57

PermistRootLogin yes # line no. 38
PasswordAuthentication yes # line 57

Save the file and exit.

Also edit the /etc/ssh/sshd_config.d/60-clouding-settings.conf file and uncomment or update the following line

PasswordAuthentication yes

Step 2.4: Restart SSH Service

Apply the configuration:

sudo systemctl restart ssh
sudo systemctl status ssh

Section 3: Install Ansible on Ubuntu (Control Node / Master)

In this section, we’ll install Ansible on the Ubuntu-based control node (Ansible Master). These steps work on AWS EC2, local VMs, or cloud platforms like GCP, Azure, etc.

Step 3.1: Update System Packages

Always start by updating your package lists:

sudo apt update && sudo apt upgrade -y

Step 3.2: Add the Ansible PPA

Ansible is not available in Ubuntu's default repo in the latest version, so add its official PPA:

sudo apt-add-repository --yes --update ppa:ansible/ansible

Step 3.3: Install Ansible

Now install Ansible:

sudo apt install ansible -y

Step 3.4: Verify Ansible Installation

Check if Ansible is installed correctly:

ansible --version

Expected output:

Step 4: Update Ansible Hosts File on the Master Node

Ansible uses a file called the inventory file (usually at /etc/ansible/hosts) to define the list of servers it will manage.

Step:4.1 Command to Edit Hosts File

sudo vim /etc/ansible/hosts

Step:4.2 Add the private ip address of worker nodes

[test]
private-ip-address-Test1
private-ip-address-Test1

[dev]
private-ip-address-Dev1
private-ip-address-Dev2

While password-based SSH is quick for small demos, production environments require secure, scalable, and automation-friendly authentication. Using ssh-keygen to set up passwordless SSH is the best practice

Step 5.1: Generate SSH Key Pair on Ansible Master

On your Ansible Master EC2 instance, generate a new SSH key:

ssh-keygen

  • Press Enter for all prompts to use default path (/home/ubuntu/.ssh/id_rsa)

  • Leave passphrase empty (just press Enter)

This creates:

  • Public key: /home/ubuntu/.ssh/id_rsa.pub

  • Private key: /home/ubuntu/.ssh/id_rsa

  • Step 5.2: Copy SSH Key to Worker Nodes Using Private IPs

    Now that your key pair is generated on the Ansible Master, copy the public SSH key to each worker node using their private IP addresses.

    Run the following commands on your Ansible Master:

      ssh-copy-id root@<Private-IP-of-Test1>
  ssh-copy-id root@<Private-IP-of-Test2>
  ssh-copy-id root@<Private-IP-of-Dev1>
  ssh-copy-id root@<Private-IP-of-Dev2>

    • When prompted, type yes to accept the host fingerprint.

    • Enter the root password you set earlier in Step 2.

    • This will append your public key to each slave’s ~/.ssh/authorized_keys file, allowing passwordless SSH from the master.

      Step 5.2: Verify SSH Connectivity Using Ansible Ping

      Once you've configured the Ansible inventory and ensured passwordless SSH access to all worker nodes, it's time to verify that Ansible can connect to all servers using the ping module.

      Run the following command on your Ansible Master:

        ansible all -m ping -u root

      🔹 all: Refers to all hosts listed in your inventory (/etc/ansible/hosts by default)
      🔹 -m ping: Uses Ansible's built-in ping module to test connection
      🔹 -u root: Specifies that Ansible should use the root user to connect

      🟢 Expected Output (Success)

      You should see output like this for each node:

        private-ip | SUCCESS => {
      "changed": false,
      "ping": "pong"
  }

Step 6: Run a Sample Ansible Playbook

Now that you've verified Ansible can connect to all your nodes using the ping module, let’s run a simple Ansible Playbook to update package cache and install a basic package (curl) on all slave nodes.

📄 Create the Playbook File

On your Ansible Master node, create a new file:

    vim sample-playbook.yml

Paste the following content:

    ---
    - name: Install maven and htop
      hosts: test
      become: true
      tasks:
        - name: Install maven
          package:
            name: maven
            state: present

        - name: Install htop
          package:
            name: htop
            state: present

▶️ Run the Playbook

Now execute the playbook using:

    ansible-playbook sample-playbook.yml

ℹ️ This command tells Ansible to run the playbook on `test’ hosts defined in your inventory.

✅ Expected Output

You’ll see output like this:

🎯 That’s it!

You've now run your first Ansible Playbook to update packages and install software across multiple servers — all with a single command.

0
Subscribe to my newsletter

Read articles from Rushikesh Mane directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DevopsCloudComputingAWSUbuntuconfiguration managementansibleInfrastructure as code

Written by

Rushikesh Mane
Rushikesh Mane