Back to Home

Automate SSH key deployment with Ansible

August 15, 2015

After having to add/remove SSH keys many times this month, I decided to automate SSH key management on our servers. At SupportBee, we typically use Capistrano to configure our servers. Capistrano SSH’s in to a server and runs commands given to it. However, I desired a tool that is declarative in nature (i.e. it can automatically bring a server to a desired state that’s specified in a configuration file) and can operate over SSH (just like Capistrano). Fortunately, I found Ansible via a friend’s tweet. Ansible is written in python and easiest way to install it is with pip (a package manager for python packages).

pip install ansible

or if you’d like to install a specific version of ansible

pip install ansible==1.9.2 # I used Ansible 1.9.2 at the time of writing

Once installed, a user can describe the desired state they’d like their servers to be in by writing an Ansible playbook. Ansible playbooks are YAML files. Here’s a playbook I wrote to automate SSH key management. This playbook adds SSH keys of current employees and removes SSH keys of former employees.


---
- hosts: all
  remote_user: deploy # Login in as deploy user
  tasks:
  - name: Add SSH keys
    authorized_key:
      user: deploy # Configure SSH keys for deploy user
      key: |
        ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA john@gmail.com
        ssh-rsa BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB jane@Jane-Does-iMac.local
  - name: Remove SSH keys of former employees
    authorized_key:
      user: deploy # Configure SSH keys for deploy user
      key: |
        ssh-rsa CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC jack@gmail.com
        ssh-rsa DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD jill@gmail.com
      state: absent

In addition to a Playbook, Ansible requires IP addresses or hostnames of your servers. Create a file contains the domains or IP addresses of your servers. Ansible calls this an inventory file.

touch production_servers

web1.mysite.com
web2.mysite.com
db.mysite.com
1.2.3.4

Run the playbook and the appropriate SSH keys should be present on your servers


ansible-playbook -i production_servers deploy_ssh_keys.yml

If you’d like learn more about Ansible, Ansible’s documentation is a excellent place to start. There are also a lot of Ansible playbooks on GitHub to borrow configuration from.

Built with Hugo & Notion. Source code is available at GitHub.