Dynamic inventory Ansible (behind a jumpbox / bastion )

The problem: you want to deploy code to an AutoScaling Group, but the EC2 instances are in a security group that is only accessible through a jumpbox.

Dynamic inventory

Step one is to get Ansible working with dynamic inventory. (We assume you’ve installed Ansible already.)

Download ec2.py and ec2.ini and put them both in /etc/ansible/. (If you’re on a Mac you’ll need to create this directory.)

Then set environment variables to point Ansible to the right locations:

If your AWS credentials have been set, you should be able to list your inventory:

Make sure your ssh keypair has been added to your ssh-agent:

And from there, you should be able to run Ansible against one of your instances. In this case, there’s an EC2 instance that was tagged with Name: testbox.


The next step is to get Ansible working with instances that are only ssh accessible through a jumpbox.

Make the following changes to /etc/ansible/ec2.ini to ensure Ansible connects on the EC2 instances’ private IPs:

Add the following lines to ~/.ssh/config. This will forward all ssh connections to anything within your VPC on the subnet through your jumphost’s public IP ( in this case).

Add these lines to a file called playbook.yml:

When you run ansible-playbook on this file, you should get a positive response from your tagged instance:

(If you get a /usr/bin/python error, make sure that you have python installed on the managed node as per the Ansible install guide.)

It’s a short jump to get this integrated into your deployment pipeline!