Ansible on AWS: Automate EC2, S3, IAM & More (Complete Guide 2026)
By Luca Berton · Published 2024-01-01 · Category: installation
How to use Ansible with AWS. Automate EC2 instances, S3 buckets, IAM, VPC, RDS, and Lambda. Install amazon.aws collection, configure credentials, and deploy.
Ansible on AWS: Automate EC2, S3, IAM & More (Complete Guide 2026)
Ansible integrates with AWS through the amazon.aws collection, letting you automate EC2 instances, S3 buckets, VPCs, IAM, RDS, and 100+ AWS services using YAML playbooks. This guide covers setup, credentials, and the most common AWS automation tasks.
See also: Ansible AWS: Complete Guide to Cloud Automation (2026)
Setup
Install the AWS Collection
ansible-galaxy collection install amazon.aws
pip install boto3 botocoreConfigure AWS Credentials
# Option 1: AWS CLI credentials file (~/.aws/credentials)
aws configure
# Option 2: Environment variables
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
Or in your playbook:
- hosts: localhost
connection: local
vars:
aws_access_key: "{{ vault_aws_access_key }}"
aws_secret_key: "{{ vault_aws_secret_key }}"
region: us-east-1EC2 Instances
Launch an EC2 Instance
- name: Launch EC2 instance
amazon.aws.ec2_instance:
name: web-server-01
instance_type: t3.micro
image_id: ami-0c55b159cbfafe1f0
key_name: my-ssh-key
vpc_subnet_id: subnet-0123456789abcdef0
security_group: web-sg
network:
assign_public_ip: true
tags:
Environment: production
App: webserver
state: running
register: ec2_result
- name: Show instance details
ansible.builtin.debug:
msg: "Instance {{ ec2_result.instances[0].instance_id }} at {{ ec2_result.instances[0].public_ip_address }}"
Stop/Start/Terminate Instances
- name: Stop instance
amazon.aws.ec2_instance:
instance_ids: ["i-0123456789abcdef0"]
state: stopped
- name: Terminate instance
amazon.aws.ec2_instance:
instance_ids: ["i-0123456789abcdef0"]
state: absent
Dynamic Inventory (Auto-Discover EC2)
Create aws_ec2.yml:
# inventory/aws_ec2.yml
plugin: amazon.aws.aws_ec2
regions:
- us-east-1
- eu-west-1
filters:
tag:Environment: production
instance-state-name: running
keyed_groups:
- key: tags.App
prefix: app
- key: placement.region
prefix: region
compose:
ansible_host: public_ip_addressansible-inventory -i inventory/aws_ec2.yml --list
ansible -i inventory/aws_ec2.yml all -m pingSee also: Ansible for AWS: Complete Guide to Cloud Automation with EC2, S3, RDS, and More
S3 Buckets
- name: Create S3 bucket
amazon.aws.s3_bucket:
name: my-app-assets-{{ env }}
state: present
versioning: true
encryption: AES256
tags:
Environment: "{{ env }}"
- name: Upload file to S3
amazon.aws.s3_object:
bucket: my-app-assets-prod
object: config/app.conf
src: files/app.conf
mode: put
- name: Download file from S3
amazon.aws.s3_object:
bucket: my-app-assets-prod
object: backups/latest.tar.gz
dest: /tmp/latest.tar.gz
mode: get
VPC & Networking
- name: Create VPC
amazon.aws.ec2_vpc_net:
name: app-vpc
cidr_block: 10.0.0.0/16
region: us-east-1
tags:
Environment: production
register: vpc
- name: Create subnet
amazon.aws.ec2_vpc_subnet:
vpc_id: "{{ vpc.vpc.id }}"
cidr: 10.0.1.0/24
az: us-east-1a
tags:
Name: public-subnet-1a
register: subnet
- name: Create security group
amazon.aws.ec2_security_group:
name: web-sg
description: Web server security group
vpc_id: "{{ vpc.vpc.id }}"
rules:
- proto: tcp
ports: [80, 443]
cidr_ip: 0.0.0.0/0
- proto: tcp
ports: [22]
cidr_ip: 10.0.0.0/8
See also: Ansible AWS EC2: Automate Ubuntu Instance Creation & Data Collection
IAM
- name: Create IAM user
amazon.aws.iam_user:
name: deploy-bot
state: present
tags:
Purpose: CI/CD deployment
- name: Create IAM role
amazon.aws.iam_role:
name: ec2-s3-access
assume_role_policy_document: "{{ lookup('file', 'trust-policy.json') }}"
managed_policies:
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
state: present
RDS Database
- name: Create RDS PostgreSQL instance
amazon.aws.rds_instance:
db_instance_identifier: app-db-prod
engine: postgres
engine_version: "16.3"
db_instance_class: db.t3.medium
allocated_storage: 50
master_username: dbadmin
master_user_password: "{{ vault_rds_password }}"
vpc_security_group_ids:
- sg-0123456789abcdef0
db_subnet_group_name: app-db-subnet-group
multi_az: true
backup_retention_period: 7
tags:
Environment: production
no_log: trueComplete Infrastructure Playbook
---
- name: Deploy full AWS infrastructure
hosts: localhost
connection: local
vars_files:
- vars/aws-{{ env }}.yml
- vars/vault-aws.yml
tasks:
- name: Create VPC
amazon.aws.ec2_vpc_net:
name: "{{ project }}-vpc"
cidr_block: "{{ vpc_cidr }}"
region: "{{ aws_region }}"
register: vpc
- name: Create subnets
amazon.aws.ec2_vpc_subnet:
vpc_id: "{{ vpc.vpc.id }}"
cidr: "{{ item.cidr }}"
az: "{{ item.az }}"
tags:
Name: "{{ item.name }}"
loop: "{{ subnets }}"
- name: Launch web servers
amazon.aws.ec2_instance:
name: "{{ project }}-web-{{ item }}"
instance_type: "{{ instance_type }}"
image_id: "{{ ami_id }}"
key_name: "{{ ssh_key }}"
vpc_subnet_id: "{{ subnet_id }}"
state: running
loop: "{{ range(1, web_count + 1) | list }}"
- name: Create S3 bucket for assets
amazon.aws.s3_bucket:
name: "{{ project }}-assets-{{ env }}"
versioning: true
Key AWS Modules Reference
| Module | Purpose |
|--------|---------|
| amazon.aws.ec2_instance | Manage EC2 instances |
| amazon.aws.ec2_security_group | Security groups |
| amazon.aws.ec2_vpc_net | Create VPCs |
| amazon.aws.ec2_vpc_subnet | Create subnets |
| amazon.aws.s3_bucket | Manage S3 buckets |
| amazon.aws.s3_object | Upload/download S3 objects |
| amazon.aws.iam_user | Manage IAM users |
| amazon.aws.iam_role | Manage IAM roles |
| amazon.aws.rds_instance | Manage RDS databases |
| amazon.aws.route53 | Manage DNS records |
| amazon.aws.elb_application_lb | Application Load Balancers |
| amazon.aws.lambda_function | Lambda functions |
| amazon.aws.cloudformation | CloudFormation stacks |
FAQ
Can Ansible manage AWS resources?
Yes. Ansible uses the amazon.aws collection to manage 100+ AWS services including EC2, S3, VPC, IAM, RDS, Lambda, Route53, and CloudFormation. Install with ansible-galaxy collection install amazon.aws and pip install boto3.
What is the difference between Ansible and Terraform for AWS?
Ansible is primarily a configuration management and automation tool that can also provision AWS infrastructure. Terraform is purpose-built for infrastructure provisioning with state management. Many teams use Terraform for infrastructure and Ansible for configuration.
How does Ansible authenticate with AWS?
Ansible uses boto3 and supports AWS CLI credentials (~/.aws/credentials), environment variables (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY), IAM roles (for EC2 instances), and SSO profiles.
Can I use Ansible dynamic inventory with AWS?
Yes. The amazon.aws.aws_ec2 inventory plugin auto-discovers running EC2 instances, groups them by tags, regions, or instance types, and provides connection details. No manual inventory maintenance needed.
Conclusion
Ansible provides comprehensive AWS automation through the amazon.aws collection. Use dynamic inventory for auto-discovery, Vault for credential security, and organize playbooks by service for maintainable infrastructure automation.
Related Articles
• Ansible AWS Complete Guide • Ansible Cloud Automation: AWS, Azure, GCP • Ansible Dynamic Inventory: AWS, Azure, GCP • Ansible vs TerraformCategory: installation