Avatar (Fabio Alessandro Locati|Fale)'s blog

Use per-host SSH key pairs on AWX and Ansible Automation Controller

September 18, 2023

One of the aspects that I have always loved about Ansible is that it integrates very nicely with the rest of the system where it is running. For example, you can easily configure all the SSH configurations directly by changing the ~/.ssh/config file. I’ve seen multiple cases where the SSH configuration file needs to be tweaked. A case that comes up occasionally is an environment configured in a way that requires Ansible to use a different SSH key for each machine it manages. I’m aware that this is not an ideal setup since it is not increasing the security as much as the person who came up with such a rule was expecting. Still, it is a requirement that some companies have for various historical reasons and, usually, it is impossible or impractical to challenge. However, the same process applies to any other SSH connection tweaking that can be performed in the SSH configuration file, such as proxies, ciphers, host checks, etc.

However, if you try to configure SSH an AWX or Ansible Automation Controller instance by changing the machine’s /var/lib/awx/.ssh/config file, it will not work. This unintuitive behavior happens because those tools delegate the execution of the Ansible playbook to a container. For the same reason, changing the file in the AWX or Ansible Automation Controller container will not give you the expected result because every Ansible playbook execution will run in a newly spawned container.

Luckily, AWX and Ansible Automation Controller provide a way to reach this goal. First, log into AWX or Ansible Automation Controller with an administrator account. Then, you need to go to “Settings” and select “Jobs settings”. Here, you can add /var/lib/awx/.ssh:/home/runner/.ssh:O to the list of “Paths to expose to isolated jobs”. This configuration will ensure that AWX or Ansible Automation Controller will map the host /var/lib/awx/.ssh folder to every container spawned to run jobs.

If you configured a login method to remote machines in the /var/lib/awx/.ssh/config file and want AWX or Ansible Automation Controller to respect that and not override it, ensure that your credentials fields “Password”, “SSH Private Key”, and “Signed SSH Certificate” are empty.

This process makes it possible to have the same flexibility of SSH configuration that Ansible has in AWX and Ansible Automation Controller.