Integrations/Ansible

Deploy packages to your hosts with Ansible and Cloudsmith

Ansible is an open-source IT automation tool for configuration management, application deployment, and infrastructure orchestration. Cloudsmith gives your Ansible playbooks a secure, centralized source of truth for every package they deploy - with fine-grained access control, entitlement tokens, and full audit logging built in.

How we support Ansible

Cloudsmith integrates directly with Ansible playbooks as a secure, managed artifact source. Your playbooks pull verified packages from Cloudsmith repositories instead of unpredictable public upstreams.
    Multi-format package delivery
    Serve Debian, RPM, and other package formats directly from Cloudsmith repositories. Use Ansible modules like apt, yum, and yum_repository to configure hosts against your Cloudsmith repos in a single playbook.
    Secure entitlement tokens
    Authenticate Ansible playbooks using scoped entitlement tokens or service account API keys. Tokens can be rotated, revoked, and scoped to specific repositories without updating every playbook.
    GPG-signed packages
    Every package stored in Cloudsmith is GPG-signed on upload. Ansible's apt_key and yum_repository modules verify the signature automatically, giving you integrity guarantees on every deployed artifact.
    Upstream proxying and caching
    Proxy and cache packages from public registries through Cloudsmith. Your playbooks always pull from a stable, controlled source - insulating your infrastructure from upstream outages or unexpected removals.
    Full audit and download logs
    Every package download triggered by an Ansible playbook is recorded in Cloudsmith's audit and client logs. Trace exactly which host pulled which version, and when - giving you a complete provenance trail.

Why teams integrate Cloudsmith with Ansible

Without a controlled artifact source, Ansible-managed infrastructure is only as reliable as the public registries it depends on. Cloudsmith gives every playbook a consistent, secure, and fully auditable package source.
Without CloudsmithPlaybooks pull packages directly from public registries. Upstream changes, removals, or outages cause failed deployments across hundreds of hosts with no warning.
With CloudsmithCloudsmith acts as a controlled proxy and cache for all upstream packages. Your playbooks always resolve to a stable, vetted version - even if the public source disappears.
Without CloudsmithAuthentication to private artifact sources relies on long-lived credentials embedded in playbooks or inventory files - a security risk that is difficult to rotate at scale.
With CloudsmithCloudsmith entitlement tokens and service account API keys are scoped, revocable, and independent of individual playbooks. Rotate credentials once in Cloudsmith without touching your automation code.
Without CloudsmithThere is no record of which Ansible run installed which package version on which host. Debugging configuration drift or a security incident means trawling through distributed logs manually.
With CloudsmithEvery download from Cloudsmith is logged with timestamp, host identity, and package version. You get a single audit trail covering all Ansible-driven deployments across your entire fleet.

Frequently asked questions

  1. Use the apt_key and apt_repository modules for Debian-based systems, or the yum_repository module for RPM-based systems. Point them at your Cloudsmith repository URL with your entitlement token or API key embedded for authentication. You can then use the apt or yum module to install packages from that repository.

  2. Cloudsmith supports entitlement tokens (embeddable in repository URLs), API key-based HTTP Basic Auth via service accounts, and token-based authentication. Service accounts are the recommended approach for Ansible automation - they can be scoped to specific repositories and revoked without affecting other integrations.

  3. Yes. Cloudsmith repositories are multi-format and support Debian, RPM, and many other formats in the same repository. You can configure Ansible playbooks for both apt-based and yum-based hosts against the same Cloudsmith workspace.

  4. Store your Cloudsmith API key or entitlement token in Ansible Vault, which encrypts secrets at rest and allows them to be committed safely alongside your playbooks. You can also use Cloudsmith service accounts with scoped tokens so that each automation context only has access to the repositories it needs.

  5. Yes. Cloudsmith GPG-signs packages on upload, and the signing key is available via a dedicated URL in your repository. You reference this URL in the apt_key or yum_repository module configuration so Ansible verifies package integrity automatically before installation.

  6. Yes. Cloudsmith upstream proxying lets you mirror and cache packages from public sources like PyPI, APT archives, or RPM repositories. Your Ansible playbooks resolve against Cloudsmith, protecting your deployments from upstream outages, unexpected removals, or supply chain compromises.

  7. Every download from a Cloudsmith repository is recorded in the client log, capturing the package name, version, timestamp, and the credential used. This gives you a full record of every Ansible-driven deployment without requiring any additional tooling.

  8. Yes. You can reference specific versions in your Ansible tasks and rely on Cloudsmith's package retention policies to ensure those versions remain available. Cloudsmith also supports package promotion across environments (dev, staging, production), so you can align exactly which version your playbooks consume at each stage.

  9. Yes. Cloudsmith works with any environment that runs Ansible playbooks, including Ansible Tower and the Red Hat Ansible Automation Platform. Configure your repository credentials once in the platform's credential store and reference them in your playbooks as normal.

  10. Full documentation including module examples for apt, yum, and yum_repository configuration is available at docs.cloudsmith.com. The docs cover public and private repository setup, GPG key configuration, and authentication options for both entitlement tokens and service accounts.

Integrations

Discover more Cloudsmith Integrations