Managing ECS Instances with Ansible Dynamic Inventory

By Anish Nath, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

If your Alibaba Cloud Elastic Compute Service (ECS) inventory fluctuates over time, with hosts spinning up and shutting down in response to business demands, the static inventory solutions will not serve your needs. You may need to track hosts from multiple sources like CMDB, manual query and compilation and all other tedious tasks.

Ansible integrates all of these options via a dynamic external inventory system using Ansible Alicloud Module inventory scripts which can be found here

In this article we will learn how to:

  • Configure ECS Dynamic Scripts
  • Query ECS hosts
  • Integrate ECS with Ansible dynamic inventory
  • Use instance filters
  • Achieve security compliance using ECS dynamic scripts


There are two ways to install Alicloud provider. However, before installing it, you should ensure Ansible has been installed in your server. If not, please install it.

Log in to your Alibaba Cloud ECS controller node or your managed node and install the following components:

Note: Make sure your NTP is in sync, otherwise you will be seeing API call failure

In case you are new to Alibaba Cloud, you can get $10 worth in credit through my referral link to get started on an ECS instance.


You can specify your Alibaba Cloud authentication credentials (access key and secret key) by passing them as environment variables or by storing them in a vars file.

To pass authentication credentials as environment variables:

The RAM key associated with this account should be having appropriate permission to query Alibaba Cloud resources. The granularity to be determined by the system security professional at minimum it should be having AliyunECSReadOnlyAccess

Inventory Script

Download the latest version of the Alibaba cloud dynamic inventory script and make it executable:

Download the sample Ansible Alibaba Cloud ECS dynamic inventory, modify it to suit your needs and copy it to /etc/ansible/alicloud.ini:

You can test the Alibaba Cloud dynamic inventory script manually to confirm it is working as expected:

After a few moments you should see some JSON output with information about your ECS instances.

Refreshing the Cache

Note that the Alibaba cloud dynamic inventory script will cache results to avoid repeated API calls. To explicitly clear the cache, you can run the (or hosts) script with the –refresh parameter: .

To see the complete list of variables available for an instance, run the script by itself:

Once you confirm the dynamic inventory script is working as expected, you can tell Ansible to use the script as an inventory file, as illustrated below:

ECS Dynamic Inventory Script Configuration

The above example resulted in one host which is unreachable when generating inventory, Ansible needs to know how to address a ECS instance and these are controlled through ECS dynamic inventory script settings file ansible.ini which provides mappings to instances from several groups

  • Regions: A group of all instances in an ECS region for example cn-beijing,eu-central-1,ap-southeast-1,us-east-1
  • Tags: Each instance can have a variety of key/value pairs associated with it called Tags. Each key/value pair is its own group of instances, again with special characters converted to underscores, in the format tag_TAGNAME
  • HOST VAR: How the VM to be queried

Edit the file alicloud.ini and change the hostname_variable

Run the script again

What about the private VM’s which doesn’t have the public address, how to manage those VM’s. this can be achieved through modifying the alicloud.ini file and changing the destination_variable to use private_ip_address

The below ansible query will use ECS private address to manage the VM


There are five ECS Instances states associated to the ECS VM’s [‘pending’, ‘running’, ‘starting’, ‘stopping’, ‘stopped’]. By default, only ECS instances in the running status are returned, in order to control these option modify the alicloud.ini file and tune these setting according to your need.

Security Compliance

Ansible ECS dynamic inventory script is the right way achieve the security compliance of your dynamic cloud environment, the config can be pushed dynamically without maintaining the static inventory, for example the below cron job configuration will push SSH profile to all the running ECS servers every thirty minutes

and refresh the cache every four hour through cron job to have an updated List of Inventory, Tune it according to your need.


  • Use of dynamic Inventory is recommended when ECS CMDB (Configuration Management Database) is dynamic and changes frequently. (VM’s spins scale up/down in rapid way or managing huge set of servers )
  • Alibaba Cloud ECS Dynamic Scripts will have always right IP address , if changed manually (EIP assigned to different VM)
  • Never supply Alibaba Cloud credentials in alicloud.ini is not recommended , It is strongly recommended using environment variable


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.