Teleport
Ansible
- Version 16.x
- Version 15.x
- Version 14.x
- Version 13.x
- Older Versions
- Available for:
- OpenSource
- Enterprise
- Cloud
Ansible uses the OpenSSH client by default. Teleport supports SSH protocol and works as SSH jumphost.
In this guide we will configure OpenSSH client to work with Teleport Proxy and run a sample ansible playbook.
Prerequisites
-
A running Teleport cluster. For details on how to set this up, see the Getting Started guide.
-
The
tctl
admin tool andtsh
client tool version >= 15.1.10.See Installation for details.
To check version information, run the tctl version
and tsh version
commands.
For example:
tctl versionTeleport v15.1.10 git:api/14.0.0-gd1e081e go1.21
tsh versionTeleport v15.1.10 go1.21
Proxy version: 15.1.10Proxy: teleport.example.com
-
A running Teleport Enterprise cluster. For details on how to set this up, see the Enterprise Getting Started guide.
-
The Enterprise
tctl
admin tool andtsh
client tool version >= 15.1.10.You can download these tools by visiting your Teleport account workspace.
To check version information, run the tctl version
and tsh version
commands.
For example:
tctl versionTeleport Enterprise v15.1.10 git:api/14.0.0-gd1e081e go1.21
tsh versionTeleport v15.1.10 go1.21
Proxy version: 15.1.10Proxy: teleport.example.com
-
A Teleport Enterprise Cloud account. If you don't have an account, sign up to begin a free trial.
-
The Enterprise
tctl
admin tool andtsh
client tool version >= 15.1.1.You can download these tools from the Cloud Downloads page.
To check version information, run the tctl version
and tsh version
commands.
For example:
tctl versionTeleport Enterprise v15.1.1 git:api/14.0.0-gd1e081e go1.21
tsh versionTeleport v15.1.1 go1.21
Proxy version: 15.1.1Proxy: teleport.example.com
ssh
openssh toolansible
>= 2.9.6- Optional tool
jq
to processJSON
output. - To check that you can connect to your Teleport cluster, sign in with
tsh login
, then verify that you can runtctl
commands using your current credentials.tctl
is supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl statusCluster teleport.example.com
Version 15.1.10
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl status
command, you can use your current credentials to run subsequenttctl
commands from your workstation. If you host your own Teleport cluster, you can also runtctl
commands on the computer that hosts the Teleport Auth Service for full permissions.
Step 1/3. Login and configure SSH
Log into Teleport with tsh
:
tsh login --proxy=example.com
Generate openssh
configuration using tsh config
shortcut:
tsh config > ssh.cfg
You can edit matching patterns used in ssh.cfg
if something
is not working out of the box.
Step 2/3. Configure Ansible
Create a folder ansible
where we will collect all generated files:
mkdir -p ansiblecd ansible
Create a file ansible.cfg
:
[defaults]
host_key_checking = True
inventory=./hosts
remote_tmp=/tmp
[ssh_connection]
scp_if_ssh = True
ssh_args = -F ./ssh.cfg
You can create an inventory file hosts
manually or use a script below to generate it from your environment. Set your
cluster name (e.g. teleport.example.com
or in the form mytenant.teleport.sh
for Teleport Enterprise Cloud)
and this script will generate the host names to match the openssh
configuration:
tsh ls --format=json | jq '.[].spec.hostname + ".teleport.example.com"' > hosts
Step 3/3. Run a playbook
Finally, let's create a simple ansible playbook playbook.yaml
.
The playbook below runs hostname
on all hosts. Make sure to set the remote_user
parameter
to a valid SSH username that works with the target host and is allowed by Teleport:
- hosts: all
remote_user: ubuntu
tasks:
- name: "hostname"
command: "hostname"
From the folder ansible
, run the ansible playbook:
ansible-playbook playbook.yamlPLAY [all] *****************************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************
ok: [terminal]
TASK [hostname] ************************************************************************************************************************************
changed: [terminal]
PLAY RECAP *****************************************************************************************************************************************
terminal : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
You are all set. You are now using short-lived SSH certificates and Teleport can now record all ansible commands in the audit log.
Troubleshooting
In case if ansible can not connect, you may see error like this one:
example.host | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname example.host: Name or service not known",
"unreachable": true
}
You can examine and tweak patterns matching the inventory hosts in ssh.cfg
.
Try the SSH connection using ssh.cfg
with verbose mode to inspect the error:
ssh -vvv -F ./ssh.cfg [email protected]
If ssh
works, try running the playbook with verbose mode on:
ansible-playbook -vvvv playbook.yaml