DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

Launch an EC2 Instance and Install Packages with Ansible

— ny_wk

Launch an EC2 Instance and Install Packages with Ansible

Ansible can spin up an EC2 instance and configure it in one playbook — no clicking around the AWS console. The trick most tutorials get dangerously wrong is credentials: never hardcode your AWS access keys in the playbook. Here's how to do it cleanly and securely.

Prerequisites

Ansible's AWS modules need the Python AWS SDK on the control machine:

sudo apt-get install python3-pip then pip install boto3 botocore

Handle credentials the RIGHT way (read this first)

Do not paste aws_access_key/aws_secret_key into the playbook — leaked keys get scraped and abused within minutes. Use one of these instead:

  • IAM role on the control instance (best on EC2) — Ansible picks up temporary credentials automatically, nothing stored.
  • Environment variables: AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY in your shell.
  • ansible-vault to encrypt secrets if you must keep them in a vars file.

If you ever exposed a key, rotate/revoke it in IAM immediately.

Step 1 — Create the EC2 instance

A minimal playbook using the EC2 module (credentials come from the environment/IAM role, not the file):

- hosts: localhost
  gather_facts: false
  vars:
    region: us-east-1
    instance_type: t2.micro
    ami: ami-xxxxxxxx  # an Ubuntu AMI for your region
    keypair: my-key
  tasks:
    - amazon.aws.ec2_instance:
        name: demo
        key_name: "{{ keypair }}"
        instance_type: "{{ instance_type }}"
        image_id: "{{ ami }}"
        region: "{{ region }}"
        wait: true

Step 2 — Install packages on the new box

Add the instance to inventory (or use a dynamic inventory), then run a second play targeting it to install packages with the apt/yum module — for example installing nginx and ensuring it's running. Now provisioning and configuration happen in one flow.

Key takeaways

  • Install boto3/botocore on the Ansible control machine for AWS modules.
  • Never hardcode AWS keys — use an IAM role, environment variables, or ansible-vault. Rotate any exposed key.
  • Use the EC2 module to launch the instance, then a follow-up play to install/configure packages.
  • Parameterize region, AMI, instance type, and keypair with vars.

Frequently asked questions

Why not just put my keys in the playbook?

Playbooks end up in Git and get shared; leaked AWS keys are exploited within minutes. Use IAM roles, env vars, or ansible-vault.

What do boto3 and botocore do?

They're the AWS SDK for Python that Ansible's AWS modules use to talk to AWS APIs.

How does Ansible find credentials without keys in the file?

It checks environment variables, the AWS credentials file, and instance IAM roles automatically — the same chain the AWS CLI uses.

Can one playbook both create and configure the instance?

Yes — create it in one play, register it to inventory, then configure it in a following play.

Launch with the EC2 module, configure with a follow-up play, and keep credentials out of the file — that's secure, repeatable AWS provisioning with Ansible.