Ansible Playbooks

Want to use Ansible to deploy StackStorm? Look no further - here’s the details on Ansible playbooks and roles to install StackStorm. Perfect for repeatable, configurable, and idempotent production-friendly StackStorm installations.

The source code for all our playbooks is available as a GitHub repo: StackStorm/ansible-st2.

Supported Platforms

Our Ansible playbooks support the same platforms as manual installation, i.e.:

  • Ubuntu Bionic (18.04)

  • Ubuntu Focal (20.04)

  • RHEL 7/CentOS 7

  • RHEL 8/RockyLinux 8/CentOS 8


StackStorm is verified on RHEL/RockyLinux 8.x distributions, but our RPMs should be compatible with other RHEL``8.x`` derivatives, e.g. CentOS 8 Stream.

The same system size requirements also apply.

Quick Start

To get started with a single node deployment, and default configuration settings, run these commands:

git clone
cd ansible-st2

ansible-playbook stackstorm.yml


Please keep in mind that the default StackStorm login credentials according to are: testu:testp. Don’t forget to change them to a more secure settings.


Behind the scenes the stackstorm.yml play is composed of the following Ansible roles for a complete installation:

  • epel - Repository with extra packages for RHEL/RockyLinux/CentOS.

  • mongodb - Main DB storage engine.

  • rabbitmq - Message broker.

  • st2repos - Adds StackStorm PackageCloud repositories.

  • st2 - Install and configure StackStorm itself. This includes LDAP and RBAC in StackStorm >= 3.4, however these features will not be enabled by default.

  • nginx - Dependency for st2web.

  • st2web - Nice & shiny WebUI for StackStorm. This includes Workflow Designer in StackStorm >= 3.4.

  • nodejs - Dependency for st2chatops.

  • st2chatops - Install and configure st2chatops for hubot adapter integration with StackStorm.

  • st2smoketests - Simple checks to see if StackStorm is working.

For StackStorm versions earlier than 3.3, Extreme Networks provided a commercial version of the StackStorm automation platform (EWC). EWC contained advanced features like RBAC, LDAP and the Workflow Designer. Since StackStorm 3.4 RBAC and LDAP are core-features of StackStorm itself and the FlowUI as part of st2web replaces the Workflow Designer. Therefore, the ewc role is no longer supported and the LDAP and RBAC backends are now configured and deployed via the st2 role. The FlowUI does not require any configuration.

Example Play

Here’s a more advanced example showing how to customize your StackStorm deployment:

- name: Install StackStorm with all services on a single node
  hosts: all
    - mongodb
    - rabbitmq
    - nginx
    - nodejs

    - name: Install StackStorm Packagecloud repository
      role: st2repo
        st2repo_name: stable

    - name: Install and configure st2
      role: st2
        st2_version: latest
        st2_auth_enable: yes
        st2_auth_username: testu
        st2_auth_password: testp
        st2_save_credentials: yes
        st2_system_user: stanley
        st2_system_user_in_sudoers: yes
        # Dict to edit
        st2_config: {}

    - name: Install st2web
      role: st2web

    - name: Install st2chatops with "slack" hubot adapter
      role: st2chatops
        st2chatops_version: latest
        st2chatops_st2_api_key: CHANGE-ME-PLEASE # (optional) This can be generated using "st2 apikey create -k"
        st2chatops_hubot_adapter: slack

    - name: Verify StackStorm Installation
      role: st2smoketests

Check out the full list of Variables.

Custom SSL Certificate for st2web

By default we generate a self-signed certificate for nginx in st2web role. If you have your own properly signed certificate, you can use that instead:

- name: Configure st2web with custom SSL certificate
  role: st2web
    st2web_ssl_certificate: "{{ lookup('file', 'local/path/to/domain-name.crt') }}"
    st2web_ssl_certificate_key: "{{ lookup('file', 'local/path/to/domain-name.key') }}"

Installing Behind a Proxy

If you are installing from behind a proxy, you can use the environment variables http_proxy, https_proxy, and no_proxy. They will be passed through during the execution.

- name: Install st2
  hosts: all
    - st2

Enabling LDAP authentication and add RBAC configuration

By default LDAP authentication & RBAC are disabled. You can enable and configure these features via the Stackstorm.st2 role to allow/restrict/limit StackStorm functionality to specific users:

- name: Install and configure st2 with enabled LDAP authentication and RBAC
  role: st2
    st2_version: latest
    st2_auth_enable: yes
    st2_auth_username: testu
    st2_auth_password: testp
    st2_save_credentials: yes
    st2_system_user: stanley
    st2_system_user_in_sudoers: yes
    # Dict to edit
    st2_config: {}
    st2_ldap_enable: yes
      # Configure the LDAP connection and query attributes
        bind_dn: "cn=Administrator,cn=users,dc=change-you-org,dc=net"
        bind_password: "foobar123"
        base_ou: "dc=example,dc=net"
          - "CN=stormers,OU=groups,DC=example,DC=net"
        port: 389
        id_attr: "samAccountName"
    st2_rbac_enable: yes
      # Define roles and permissions
        - name: core_local_only
          description: "This role has access only to action core.local in pack 'core'"
          enabled: true
            - resource_uid: "action:core:local"
                - action_execute
                - action_view
            - permission_types:
              - runner_type_list
      # Assign roles to specific users
        - name: test_user
            - core_local_only
        - name: stanley
            - admin
        - name: chuck_norris
            - system_admin


Please refer to for updates and more detailed examples, descriptions and code. If you’re familiar with Ansible, and think you’ve found a bug, or would like to propose a feature or pull request, your contributions are very welcome!