Fork me on GitHub



Ansible uses the OpenSSH client by default. Teleport supports SSH protocol and works as SSH jumphost.

In this guide we will configure OpenSSH client to work with Teleport Proxy and run a sample ansible playbook.


Step 1/3. Login and configure SSH

Log into Teleport with tsh:

tsh login

Generate openssh configuration using tsh config shortcut:

tsh config > ssh.cfg

You can edit matching patterns used in ssh.cfg if something is not working out of the box.

Step 2/3. Configure Ansible

Create a folder ansible where we will collect all generated files:

mkdir -p ansible
cd ansible

Create a file ansible.cfg:

host_key_checking = True

scp_if_ssh = True
ssh_args = -F ./ssh.cfg

You can create an inventory file hosts manually or use a script below to generate it from your environment:

tsh ls --format=json | jq -r '.[].spec.hostname' > hosts

Step 3/3. Run a playbook

Finally, let's create a simple ansible playbook playbook.yaml.

The playbook below runs hostname on all hosts. Make sure to set the remote_user parameter to a valid SSH username that works with the target host and is allowed by Teleport:

- hosts: all
  remote_user: ubuntu
    - name: "hostname"
      command: "hostname"

From the folder ansible, run the ansible playbook:

ansible-playbook playbook.yaml

PLAY [all] *****************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************

ok: [terminal]

TASK [hostname] ************************************************************************************************************************************

changed: [terminal]

PLAY RECAP *****************************************************************************************************************************************

terminal : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

You are all set. You are now using short-lived SSH certificates and Teleport can now record all ansible commands in the audit log.


In case if ansible can not connect, you may see error like this one: | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname Name or service not known",
    "unreachable": true

You can examine and tweak patterns matching the inventory hosts in ssh.cfg.

Try the SSH connection using ssh.cfg with verbose mode to inspect the error:

ssh -vvv -F ./ssh.cfg [email protected]

If ssh works, try running the playbook with verbose mode on:

ansible-playbook -vvvv playbook.yaml
Have a suggestion or can’t find something?