DEVOPS

Add and Remove SSH Keys with Ansible authorized_key Module

- by Hitesh Jethva 31
Ansible authorized_key Module
Post Views: 31

Managing SSH keys efficiently is critical for secure server access. The Ansible authorized_key module makes this easy by automating the addition and removal of public keys across your infrastructure. This reduces human error and ensures consistency.

This guide will walk you through the process of managing SSH keys using Ansible.

What is the authorized_key Module in Ansible?

The authorized_key module manages a user’s ~/.ssh/authorized_keys file. You can add or remove public keys to control who can log in via SSH.

The basic syntax of the Ansible authorized_key module looks like this:

- name: Manage SSH keys
  ansible.builtin.authorized_key:
    user: username
    state: state
    key: ssh_key

Here is a brief explanation:

  • user: (required) The username of the user for whom the SSH key is being managed.
  • state: (optional, default: present) Indicates whether the key should be present or absent in the user’s authorized_keys file.
  • key: (required if state=present) The SSH public key to add or remove. This can be provided as a string or you can use the lookup plugin to read the key from a file.

Adding SSH Keys

Adding SSH keys to a remote host is a common task. It allows secure access to the host. Below are examples of how to add SSH keys using Ansible.

Example 1: Adding a Single SSH Key

To add a single SSH key for a user, use the following playbook:

---
- name: Add SSH Key for User
  hosts: all
  become: yes
  tasks:
    - name: Add authorized key for user
      ansible.builtin.authorized_key:
        user: johndoe
        state: present
        key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7X... your_key_comment"

In this playbook.

  • hosts: all specifies that the task should run on all hosts in the inventory.
  • become: yes allows the task to run with sudo privileges.
  • The task adds the specified SSH key to the Johndoe user’s ~/.ssh/authorized_keys file.

Example 2: Adding Multiple SSH Keys with Loop

To add multiple SSH keys, you can use a list and loop through each key:

---
- name: Add Multiple SSH Keys for User
  hosts: all
  become: yes
  vars:
    ssh_keys:
      - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... key1_comment"
      - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... key2_comment"
  tasks:
    - name: Add authorized keys for user
      ansible.builtin.authorized_key:
        user: johndoe
        state: present
        key: "{{ item }}"
      loop: "{{ ssh_keys }}"

In this playbook.

  • A variable ssh_keys is defined with a list of SSH keys.
  • The task loops through each key and adds it to the johndoe user’s ~/.ssh/authorized_keys file.

Removing SSH Keys

Removing SSH keys is important for revoking access. Below are examples of how to remove SSH keys using Ansible.

Example 1: Removing a Single SSH Key

To remove a single SSH key for a user, use the following playbook:

---
- name: Remove SSH Key for User
  hosts: all
  become: yes
  tasks:
    - name: Remove authorized key for user
      ansible.builtin.authorized_key:
        user: johndoe
        state: absent
        key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... your_key_comment"

In this playbook.

  • The task removes the specified SSH key from the johndoe user’s ~/.ssh/authorized_keys file.

Example 2: Removing Multiple SSH Keys

To remove multiple SSH keys, you can use a list and loop through each key:

---
- name: Remove Multiple SSH Keys for User
  hosts: all
  become: yes
  vars:
    ssh_keys:
      - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... key1_comment"
      - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... key2_comment"
  tasks:
    - name: Remove authorized keys for user
      ansible.builtin.authorized_key:
        user: johndoe
        state: absent
        key: "{{ item }}"
      loop: "{{ ssh_keys }}"

In this playbook.

  • The task loops through each key and removes it from the johndoe user’s ~/.ssh/authorized_keys file.

Verifying SSH Key Existence

Verifying the existence of an SSH key is useful. It helps ensure that the key is present before performing other tasks. Here’s how to verify the existence of an SSH key.

---
- name: Verify SSH Key Existence
  hosts: all
  become: yes
  tasks:
    - name: Check if SSH key is present
      ansible.builtin.stat:
        path: /home/johndoe/.ssh/authorized_keys
      register: authorized_keys_file

    - name: Debug authorized keys file
      debug:
        var: authorized_keys_file

In this playbook.

  • The stat module checks if the authorized_keys file exists for the user.
  • The debug task prints the status of the authorized_keys file.

Real-World Use Case

Imagine you need to grant temporary access to a contractor. You can add their SSH key for a limited time and remove it after the project is complete.

This playbook temporarily grants SSH access to a user named Johndoe by adding a contractor’s SSH key. It then waits for one hour and removes the key to revoke access.

---
- name: Grant Temporary Access
  hosts: all
  become: yes
  tasks:
    - name: Add contractor's SSH key
      ansible.builtin.authorized_key:
        user: johndoe
        state: present
        key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... contractor_key"

    - name: Wait for 1 hour
      pause:
        minutes: 60

    - name: Remove contractor's SSH key
      ansible.builtin.authorized_key:
        user: johndoe
        state: absent
        key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... contractor_key"

Best Practices for SSH Key Management

  • Always use public key authentication—avoid passwords.
  • Ensure ~/.ssh/authorized_keys has 0600 permissions.
  • Use file-based keys with lookup('file', ...) to avoid hardcoding keys in playbooks.
  • Rotate SSH keys regularly.

Conclusion

The Ansible authorized_key module is a powerful way to automate secure access to Linux servers. It ensures consistency, prevents manual errors, and makes it easy to manage user-level SSH access across environments.

âś… Add, remove, or temporarily allow SSH access in just a few lines of YAML.

FAQs

1. Can I remove an SSH key from a remote server using the authorized_key module?

Yes, you can remove an SSH key by using the state: absent parameter with the authorized_key module, along with the specific key or key file.

2. Is it possible to manage multiple keys for a user using the authorized_key module?

Yes, you can add multiple SSH keys by defining multiple tasks in your playbook, each specifying a different key or using a loop.

3. Can I use a key file instead of directly specifying the SSH key in the playbook?

Yes, use the keyfile parameter to reference a file containing the public key rather than specifying the key directly.

4. How can I verify if an SSH key was successfully added to a remote server?

You can use the stat module or shell command to check the ~/.ssh/authorized_keys file and confirm that the key was added.

Related Posts

Ansible WinRM Module

Mastering Ansible for Windows: A Guide to WinRM Integration

ansible import playbook

How to Import/Include Playbook in Ansible + Examples

Ansible Inventory Guide

Master Ansible YAML Inventory with Real-World Examples

About Hitesh Jethva

Experienced Technical writer, DevOps professional with a demonstrated history of working in the information technology and services industry. Skilled in Game server hosting, AWS, Jenkins, Ansible, Docker, Kubernetes, Web server, Security, Proxy, Iptables, Linux System Administration, Domain Name System (DNS), and Technical Writing.

View all posts by Hitesh Jethva