Prereqs — quick checklist
• AWS CLI configured on your laptop (if using CLI).
• A VPC/subnet to launch instances in (or use default).
• Decide a keypair name — you must download the private key once.
• Ensure you have permissions to create EC2/Security Groups/IAM if needed.
1) Create (or re-use) an SSH key pair for the instances
Console:
• In EC2 → Key Pairs → Create key pair → give name (e.g. day55-key) → download .pem (keep it safe).
CLI (example):
aws ec2 create-key-pair --key-name day55-key --query 'KeyMaterial' --output text > day55-key.pem
chmod 400 day55-key.pem
N.B Keep day55-key.pem safe. You’ll use this to SSH into master and to allow the master to SSH the nodes.
2) Launch EC2 instances (1 master + 2 nodes)
You can use the Console “Launch Instance” wizard (simplest) or CLI. Important: when launching all three instances choose the same Key pair name (day55-key) so one private key works for all.
Console steps (recommended):
1. Launch Ubuntu AMI for master (e.g. Ubuntu 22.04 LTS). Select instance type t3.micro (or as needed). Under Key pair, choose day55-key.
2. Launch two additional instances (nodes) — choose same key pair day55-key.
3. Networking / Security Group: create a security group (call it ansible-sg) that allows:
• SSH (port 22) from your IP (for you to SSH into master).
• SSH (port 22) from the master (we’ll tighten this in next step).
• HTTP (port 80) optional for testing web server.
4. Wait until instances are running. Note the public IP of master and the private IPs of the two nodes (if master & nodes are in same VPC you will use private IPs in inventory).
CLI (quick example — you must set subnet & ami):
# create SG (example: allow SSH from anywhere during testing; better to restrict)
aws ec2 create-security-group --group-name ansible-sg --description "ansible sg" --vpc-id <vpc-id>
aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 22 --cidr <your-ip>/32
aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 22 --cidr 0.0.0.0/0 # temp - not recommended
# launch instances (replace subnet-id, ami-id)
aws ec2 run-instances --image-id <ami-id> --count 3 --instance-type t3.micro --key-name day55-key --security-group-ids <sg-id> --subnet-id <subnet-id>
Use console if you’re not comfortable filling subnet/AMI IDs. Also do not leave SSH open to 0.0.0.0/0 in production.
3) Secure the network: allow SSH from master to nodes
Best practice: create a security group for the master and allow inbound SSH to nodes from that master security group.
Console:
• Create ansible-master-sg for the master, and ansible-nodes-sg for nodes.
• Edit ansible-nodes-sg inbound rule: allow SSH (22) Source = ansible-master-sg.
CLI example (authorize by source group):
aws ec2 authorize-security-group-ingress --group-id <nodes-sg-id> --protocol tcp --port 22 --source-group <master-sg-id>
4) Install Ansible on the master (Ubuntu example)
SSH into the master from your laptop:
ssh -i ./day55-key.pem ubuntu@<MASTER_PUBLIC_IP>
On the master, run:
# update & prepare
sudo apt update
sudo apt install -y software-properties-common
# add Ansible PPA and install
sudo apt-add-repository --yes --update ppa:ansible/ansible
sudo apt update
sudo apt install -y ansible
# quick check
ansible --version
If you prefer Amazon Linux master, use sudo amazon-linux-extras install ansible2 -y (or install via pip).
5) Copy the private key to the master (securely)
You need the private key on the master so Ansible (running on master) can SSH into the two nodes.
From your laptop (safe, temporary):
# copy private key to master (you are authenticating with the same key)
scp -i ./day55-key.pem ./day55-key.pem ubuntu@<MASTER_PUBLIC_IP>:/home/ubuntu/.ssh/node_key.pem
# on master: secure the key
ssh -i ./day55-key.pem ubuntu@<MASTER_PUBLIC_IP> # log in if needed
sudo mv /home/ubuntu/.ssh/node_key.pem /home/ubuntu/.ssh/node_key.pem
sudo chown ubuntu:ubuntu /home/ubuntu/.ssh/node_key.pem
chmod 600 /home/ubuntu/.ssh/node_key.pem
Security note: copying private keys is sensitive. Delete the .pem from the master when no longer needed, or better yet use AWS Systems Manager (SSM) or a vault in production rather than copying keys.
6) Create an Ansible inventory (hosts) on the master
You can edit the global /etc/ansible/hosts or maintain a project inventory (recommended). Example create /home/ubuntu/ansible/hosts:
cat > /home/ubuntu/ansible/hosts <<EOF
[web]
10.0.1.12 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/.ssh/node_key.pem
10.0.1.13 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/.ssh/node_key.pem
[all:vars]
ansible_python_interpreter=/usr/bin/python3
EOF
Replace 10.0.1.12 / 10.0.1.13 with your nodes’ private IPs (preferred when master & nodes share VPC). Use public IPs only if necessary.
Validate inventory:
ansible-inventory -i /home/ubuntu/ansible/hosts --list -y
7) Ensure target nodes have Python (Ansible requirement)
Most modern AMIs have Python installed. If you see failed to find interpreter for /bin/python errors, install Python on nodes (via user_data at launch or SSH):
# from your laptop or master (if you can SSH)
ssh -i ./day55-key.pem ubuntu@<NODE_IP> 'sudo apt update && sudo apt install -y python3'
# or for Amazon Linux:
ssh -i ./day55-key.pem ec2-user@<NODE_IP> 'sudo yum install -y python3'
8) Run the Ansible ping test
From the master:
# option A: use inventory file with per-host private key configured
ansible -i /home/ubuntu/ansible/hosts web -m ping
# option B: pass user & key on CLI (if you prefer)
ansible all -i /home/ubuntu/ansible/hosts -u ubuntu --private-key=/home/ubuntu/.ssh/node_key.pem -m ping
Expected output:
10.0.1.12 | SUCCESS => {"changed": false, "ping": "pong"}
10.0.1.13 | SUCCESS => {"changed": false, "ping": "pong"}
Troubleshooting (common failures)
• SSH permission denied:
• Ensure correct key & chmod 600. Check instance uses the same key pair.
• Connection timed out:
• Check node security group inbound rules (allow SSH from master private IP or master SG). Check route tables/ACLs.
• python not found / failed to find interpreter:
• Install Python 3 on nodes (see Step 7) or set ansible_python_interpreter=/usr/bin/python3 in inventory.
• Host key verification errors:
• On master: ssh-keyscan -H >> ~/.ssh/known_hosts or export ANSIBLE_HOST_KEY_CHECKING=False for quick testing (not recommended for production).
Clean-up & security recommendations
• Don’t leave your .pem files lying around. Remove or rotate them after testing.
• For production, prefer AWS Systems Manager (SSM) or a bastion + IAM roles instead of copying private keys.
• Use Ansible Vault or secrets manager for sensitive credentials.
Top comments (0)