---
title: "Ansible Integration | Cloudsmith"
description: "Connect Ansible to Cloudsmith to deploy packages from secure, centralized repositories. Fine-grained access control, entitlement tokens, and full audit logging included."
canonical_url: "https://cloudsmith.com/product/integrations/ansible"
last_updated: "2026-05-07T10:39:00Z"
---
# Ansible Integration | Cloudsmith

## Deploy packages to your hosts with **Ansible** and Cloudsmith

Ansible is an open-source IT automation tool for configuration management, application deployment, and infrastructure orchestration. Cloudsmith gives your Ansible playbooks a secure, centralized source of truth for every package they deploy - with fine-grained access control, entitlement tokens, and full audit logging built in.

Product / Integrations

## Ansible Integration

Ansible is an open-source IT automation tool for configuring, deploying, and managing applications and infrastructure. It uses a declarative language to describe system configurations and automate tasks, making it a popular choice for IT operations and DevOps teams.

## How we support **Ansible**

Cloudsmith integrates directly with Ansible playbooks as a secure, managed artifact source. Your playbooks pull verified packages from Cloudsmith repositories instead of unpredictable public upstreams.

[Read our Ansible documentation](https://docs.cloudsmith.com/integrations/integrating-with-ansible)

### Multi-format package delivery

Serve Debian, RPM, and other package formats directly from Cloudsmith repositories. Use Ansible modules like apt, yum, and yum_repository to configure hosts against your Cloudsmith repos in a single playbook.

### Secure entitlement tokens

Authenticate Ansible playbooks using scoped entitlement tokens or service account API keys. Tokens can be rotated, revoked, and scoped to specific repositories without updating every playbook.

### GPG-signed packages

Every package stored in Cloudsmith is GPG-signed on upload. Ansible's apt_key and yum_repository modules verify the signature automatically, giving you integrity guarantees on every deployed artifact.

### Upstream proxying and caching

Proxy and cache packages from public registries through Cloudsmith. Your playbooks always pull from a stable, controlled source - insulating your infrastructure from upstream outages or unexpected removals.

### Full audit and download logs

Every package download triggered by an Ansible playbook is recorded in Cloudsmith's audit and client logs. Trace exactly which host pulled which version, and when - giving you a complete provenance trail.

## Why teams integrate Cloudsmith with **Ansible**

Without a controlled artifact source, Ansible-managed infrastructure is only as reliable as the public registries it depends on. Cloudsmith gives every playbook a consistent, secure, and fully auditable package source.

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Playbooks pull packages directly from public registries. Upstream changes, removals, or outages cause failed deployments across hundreds of hosts with no warning. | Cloudsmith acts as a controlled proxy and cache for all upstream packages. Your playbooks always resolve to a stable, vetted version - even if the public source disappears. |

| Authentication to private artifact sources relies on long-lived credentials embedded in playbooks or inventory files - a security risk that is difficult to rotate at scale. | Cloudsmith entitlement tokens and service account API keys are scoped, revocable, and independent of individual playbooks. Rotate credentials once in Cloudsmith without touching your automation code. |

| There is no record of which Ansible run installed which package version on which host. Debugging configuration drift or a security incident means trawling through distributed logs manually. | Every download from Cloudsmith is logged with timestamp, host identity, and package version. You get a single audit trail covering all Ansible-driven deployments across your entire fleet. |

## Frequently asked questions

### How do I configure an Ansible playbook to install packages from Cloudsmith?

Use the apt_key and apt_repository modules for Debian-based systems, or the yum_repository module for RPM-based systems. Point them at your Cloudsmith repository URL with your entitlement token or API key embedded for authentication. You can then use the apt or yum module to install packages from that repository.

### What authentication methods does Cloudsmith support for Ansible?

Cloudsmith supports entitlement tokens (embeddable in repository URLs), API key-based HTTP Basic Auth via service accounts, and token-based authentication. Service accounts are the recommended approach for Ansible automation - they can be scoped to specific repositories and revoked without affecting other integrations.

### Can I use Cloudsmith with both Debian and RPM package deployments?

Yes. Cloudsmith repositories are multi-format and support Debian, RPM, and many other formats in the same repository. You can configure Ansible playbooks for both apt-based and yum-based hosts against the same Cloudsmith workspace.

### How do I keep credentials secure when using Ansible with Cloudsmith?

Store your Cloudsmith API key or entitlement token in Ansible Vault, which encrypts secrets at rest and allows them to be committed safely alongside your playbooks. You can also use Cloudsmith service accounts with scoped tokens so that each automation context only has access to the repositories it needs.

### Does Cloudsmith support GPG verification for packages installed via Ansible?

Yes. Cloudsmith GPG-signs packages on upload, and the signing key is available via a dedicated URL in your repository. You reference this URL in the apt_key or yum_repository module configuration so Ansible verifies package integrity automatically before installation.

### Can Cloudsmith proxy public package registries for Ansible?

Yes. Cloudsmith upstream proxying lets you mirror and cache packages from public sources like PyPI, APT archives, or RPM repositories. Your Ansible playbooks resolve against Cloudsmith, protecting your deployments from upstream outages, unexpected removals, or supply chain compromises.

### How do I audit which packages Ansible deployed across my fleet?

Every download from a Cloudsmith repository is recorded in the client log, capturing the package name, version, timestamp, and the credential used. This gives you a full record of every Ansible-driven deployment without requiring any additional tooling.

### Can I pin specific package versions in my Ansible playbooks using Cloudsmith?

Yes. You can reference specific versions in your Ansible tasks and rely on Cloudsmith's package retention policies to ensure those versions remain available. Cloudsmith also supports package promotion across environments (dev, staging, production), so you can align exactly which version your playbooks consume at each stage.

### Does Cloudsmith work with Ansible Tower or the Ansible Automation Platform?

Yes. Cloudsmith works with any environment that runs Ansible playbooks, including Ansible Tower and the Red Hat Ansible Automation Platform. Configure your repository credentials once in the platform's credential store and reference them in your playbooks as normal.

### Where can I find detailed setup instructions for the Cloudsmith and Ansible integration?

Full documentation including module examples for apt, yum, and yum_repository configuration is available at docs.cloudsmith.com. The docs cover public and private repository setup, GPG key configuration, and authentication options for both entitlement tokens and service accounts.
