A Cloud-Native Connection Plugin For Ansible Using Session Manager
We are excited to announce the availability of the Ansible AWS Session Manager Plugin, compatible with the 2.10 release of Ansible. Ansible is a popular configuration management tool due to its push-based model and easy syntax that make it an excellent choice for configuration management. Its ease of use simplifies server configuration management for operations team members and helps development team members take an active part in maintaining playbooks.
Per Unix philosophy, Ansible uses a collection of plugins to perform its operations. Included in these plugins are the SSH and WinRM plugin that Ansible uses to remotely push configurations to target hosts. In contrast, we prefer the AWS Systems Manager toolset, including AWS Run Command and Session Manager, as we see these tools as enabling the next generation in management of automation of large fleets of servers.
With the new Ansible AWS Session Manager Plugin, AWS tools replace SSH and WinRM. Importantly, AWS Session Manager and Run Command provide several meaningful cloud updates, including:
- Run Command and Session Manager can cross network boundaries. While this wasn’t an issue in traditional data centers because the complete company was bound together by a handful of physical networks, in a more modern multi-cloud, software-defined network world, this is no longer the case. Today we have smaller, well-contained networks that decrease the blast radius of any breach, contain the impact of bugs, and allow teams to be more agile, taking advantage of distributed control.
Yet, using SSH forces us into constructs that encourages architectures in conformance with a traditional environment using VPN tunnels and transit gateway. Unfortunately this triggers a sequence of events with an increased blast radius, more centralized control, and finally loss in agility. Run Command and AWS Session Manager simplify this problem by providing a secure method to control machines that don’t have to be in the same network; both tools run across Windows, Linux, AWS, cross cloud, and hybrid cloud.
- Run Command and Session Manager both use AWS credentials for authentication. AWS credentials provide excellent key management for both human and machine users. AWS lets us use SSO complete with MFA using SAML to authenticate human users. Any machine user on AWS whether on EC2, ECS, or Lambda can use IAM roles. IAM roles have native support for credential rotation from AWS and all AWS libraries make the use of these credentials transparent.
Conversely, SSH and WinRM use long-term credentials by default that require management and rotation. Long-term credentials quickly turn into organization-wide liabilities as they are prone to leakage and hard to rotate. The use of Run Command and Session Manager allows us to have an easy-to-use, out of the box credentials solution.
- Run Command and Session Manager are cloud native and include central logging as a native feature. This is extremely important for forensics and is a required part of many compliance frameworks. While traditional remote connections can be setup with these features, it is not out of the box, and an attacker would easily be able to disable it.
Wanting to provide the benefits of Run Command and Session Manager to our customers, we began moving away from SSH in favor of Session Manager. While we were mostly successful in our efforts, ultimately we could not achieve the final goal of turning off port 22 because Ansible was using it to configure machines through SSH. To address this challenge, the Ansible AWS Session Manager Plugin emerged.
Introducing Ansible AWS Session Manager Plugin
In partnership with AWS, we created a new connection plugin in Ansible that would allow Session Manager to connect to target hosts in Ansible. As we started our development effort, we realized that Pat Sharkey from Cleo had already started work on this plugin. At Cleo, Pat wanted to push commands to the servers in their ECS cluster as they had a requirement that keys on production servers needed to be short-lived and use multi-factor authentication for human access. In addition, any such system would need integrations added for CI workflows and running Ansible playbooks. The logging of sessions in AWS Session Manager was the ‘cherry on top’ in their decision to write a plugin allowing AWS Session Manager to connect from Ansible.
The team working on the plugin connected with Pat; we joined forces to make his pull request feature complete for inclusion in Ansible, which it is starting today with Ansible 2.10. The plugin uses AWS CLI in the background to connect to Session Manager and works with both Windows and Linux.
Comparison With Document AWS-RunAnsiblePlaybook
AWS System Manager includes a document AWS-RunAnsiblePlaybook. In that sense AWS System Manager has supported Ansible for some time now. But this connection plugin works differently from the existing document. While the AWS-RunAnsiblePlaybook document allows you to use Ansible in a pull-based model with the server pulling in the correct playbook and executing it locally, this new method allows Ansible to work in a traditional push-based method. Thus, allowing you to use this connection plugin from Ansible Tower or a Jenkins server.
This solution lets us take advantage of the full power of AWS Session Manager with Ansible.
- Tighten Network Access – The plugin allows us to manage instances using Ansible without having network access, which means that we can configure and centrally manage instances even if we don’t have network access from Ansible. This provides the advantages of segregated networks, with remote access disabled, while still maintaining configuration and telemetry in a centralized Ansible server.
- Eliminate Key Management – Since Ansible now connects using Session Manager, we no longer need to use keys or passwords to access the machines. Instead, Ansible uses IAM roles on the instance to access target machines; the IAM role allows us to use AWS native credential rotation instead of creating a custom solution. For human access, we can use Session Manager with MFA; eliminating both human and machine access allows us to completely eliminate SSH keys and Windows admin passwords.
- Remote EC2 instance must be running SSM Agent.
- Remote EC2 instance must have curl installed. On Windows, curl should already be present as it is an alias for Invoke-WebRequest.
- Control machine must have the AWS Session Manager Plugin installed.
- Ansible version 2.10 on the control machine.
At Flux7 and Cleo, we saw a real need for a connection plugin that allows Ansible to execute tasks on an EC2 instance via a Session Manager Plugin for the AWS CLI. The Ansible AWS Session Manager Plugin is an alternative to SSH connections which eliminates the need for jump boxes and SSH keys. Similarly, for Windows, it eliminates the need for the control machine to have username/password credentials for WinRM to manage remote EC2 instances. While SSH and WinRM have been touted tools of the DevOps trade, we believe that this new plugin can help enable the next generation of large fleet server management.
Take a look for yourself and let us know if you agree. You can download and leave feedback about the new Ansible AWS Session Manager Plugin here.
Post Date: 09/28/2020