Advancing in Ansible: Using a Bastion (Jumphost)

Ansible 2.0 introduced a great set of features (ansible_*_args), and glances over using it in the documentation.

However, my personal preference is to do it directly in the inventory.  This means you can do things like bake it into a dynamic inventory, or use [all:vars] to keep your inventory nice and DRY.

To do this directly in an inventory:

ansible_ssh_common_args=' -o ProxyCommand="ssh -W %h:%p"'




If you only have, say, one bastion per host:

[proxy] ansible_ssh_common_args=' -o ProxyCommand="ssh -W %h:%p"'

[application] ansible_ssh_common_args=' -o ProxyCommand="ssh -W %h:%p"'


# Also acceptable
ansible_ssh_common_args=' -o ProxyCommand="ssh -W %h:%p"'

However, ansible_ssh_common_args is not the only useful thing here.  If you’re using sftp or scp (say, for jailed users) you can use it in exactly the same way.  Looking at the most recent manpages for sftp and scp all above examples will work, right down to the same -o line.

Doing the above I locate my bastion and put it into my dynamic inventory.

To do this with a dynamic inventory you’d want something like the following:

$./ --list

  "proxy": {
    "hosts": [""]
    "vars": {
      "ansible_ssh_common_args":"-o ProxyCommand='ssh -W %h:%p'"



Doing this makes accessing hosts on private networks through Ansible an absolute snap.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s