User Access Management Using Ansible

In this demo, we’ll see how to connect to the private servers using the bastion host, how to create and move users on bastion and private servers, how to set up the SSH keys of newly created users with the Ansible playbook execution. In general, we know it’s an easy job to connect to the remote servers from the Ansible poster machine where we can execute the Ansible playbook. As long as we have the SSH connectivity, we are good. But when it comes to the enterprises where we do not have direct access to their private servers, and for security reasons, we use the bastion and with the SSH forwarding mechanism, we can enter into the private servers using the bastion as a tunnel. Similarly, in on-call, we have a client, which has multiple servers and we do not have direct access to the private servers. Rather, we use the bastion as a medium to connect to those servers, the private servers. And sometimes we see situations where the new engineers are being added to our team or in their team. And to provide them access, we need to create the users on all the servers. And suppose if we have any engineer who is no longer working with that client, and obviously in that case, we need to remove their access from all the servers. And to perform all these tasks manually is a little time consuming process. So to automate this, we use the Ansible. And this is what I’m going to discuss today in this demo. So let’s see how we can do that.

So this is my flow diagram. So here you can see in the public subnet, I lost one instance, which is my bastion post. And I launched a few instances under the private subnet. And this is a machine where I installed the Ansible, which is the Ansible poster machine. And here I’m going to execute the Ansible playbook, which is going to perform a few tasks. So in this particular demo, I’m going to perform basically the three tasks. First is going to execute, it’s going to create the users on all these remote hosts. And then it’s going to set up the SSH keys. And the last task is to remove a few users from all the servers which are already present there.

Okay, the next is prerequisites. So here I launched new servers. I launched one instance on which I installed Ansible, which is my Ansible poster machine. And I launched one instance under the Public subnet, which is the bastion post or the jump server. And I also launched instances under the private subnet, which are grouped into the port and the dev servers. And this is the list of files, which I have already created. And these are required to perform these tasks. So let’s have a look at these files one by one.

So first is the inventory file. So in this I have mentioned, and this is the list of hosts, which I have mentioned under the host groups I’m using here, the port servers and Dev servers. And I also included here the variables that are a prod service, var definition and the dev servers var definition. So inside this, this is the SSH port that Ansible will use to SSH into the remote hosts. And this is the user that Ansible will use to perform the tasks on all the remote servers. And this is the private key that is required to SSH into the remote hosts. And here I’m passing the argument strict host key checking no. And this is a perfect proxy command that Ansible will use to enter into the bastion host and using the agent forwarding mechanism, and then it will enter into the private servers. Similarly, inside the dev service var definition.

The next is the user.YML file. So in this I have listed, this is the list of users that I’m going to create on all the remote hosts. And this is the list of users to move from all the servers and these users are already present on all the remote hosts.

Next is the Ansible playbooks. So in this I have mentioned a few tasks as you can see. First I’m including here the variables from this user.YML file. The first task here is to create the user on remote hosts for which I’m using here the user module and I’m taking the name from user.YML file and then providing here the shell group state is present. The next task is to set up the public keys for which I’m using here the authorized key module. And the user it will pick from the user.YML file, and for key, I used here the lookup function which will look up the file with this name under this directory. And the last task is to remove the user on remote hosts for which I use the user module and name it will take from user.YML file. And here I’m providing the shell. This is the group and status absent and remote.

So currently, I’m inside the Ansible host machine. And here you can see this is the list of files which we have discussed in the previous tests, and which are required to perform this task. So first, let me show you this public keys directory. So inside this as you can see, I have placed here the public keys of all the users that I want to create on all the remote servers. And here I’m going to execute the Ansible playbook. So before that, let me take you inside the bastion host. So inside bastion let’s check the list of users that are currently present here. Okay, so if we have a look at this user.YML file, as you can see, this is the list of users that I want to create on all the servers. And in bastion, as you can see, these users are currently not present here. And only these two users are present. And I want to remove them from all the servers. And let’s, for example, check any private servers, as well. For example, I’m taking this prod server one, and pasting it into this. Let’s check the last list of users that are present inside this private instance. So as you can see, currently, only these two users are present here. And we want to remove them and this is the list of users that I want to create on all the servers. So for that, I’m going to execute the Ansible playbook. For that I’m going back to the Ansible poster machine, I’m going to run the command.

Okay, as you can see, the Ansible playbook is executed successfully, it has performed all the tasks, it has created the user on the remote host, and also set up the authorized keys and also removed the user from the remote force. Now, to check or to confirm whether these users are created successfully on all the servers or not for that. First I’m going to SSH into the bastion host using the new user. For example, I’m taking any new user. Let’s take this user Ray.

Okay, so I successfully logged in into the bastion using this user Ray, it means this user is created inside the bastion. Let’s check the list of users now inside the bastion. Okay, so as you can see, all these users which are listed here, are now present inside the bastion. And these two users which were earlier present, they are now removed from here. So it means this task is successfully done here. And now let’s move to any private server. For example, I’m taking the dev server here. And if I SSH into this server. I’m going to SSH into this test server using the same username as I forwarded its public key into the bastion. So I’m using the same user Ray So I successfully logged into this dev server, as well. It means this user is also created inside this. Let’s check the list of users present inside this and as you can see all the users that I listed here are now present here. And these two users are removed from here. So that’s it. That’s how we can create multiple users on multiple servers in one go using the Ansible playbook. And yeah, that’s a small demo from my side.