diff --git a/ansible/cluster.yml b/ansible/cluster.yml
index 609d2faa39752b97aefdf0d0189ca3faecdd7635..a84fec61c96a8a1dfb4d973fc2ed0937bd20744d 100644
--- a/ansible/cluster.yml
+++ b/ansible/cluster.yml
@@ -8,3 +8,4 @@
     - { name: 'ldap_config', tags: 'ldap_config' }
     - { name: 'slurm_client', tags: 'slurm_client', when: enable_slurm_client }
     - { name: 'ssh_host_keys', tags: 'ssh_host_keys' }
+    - { name: 'ssh_proxy_config', tags: 'ssh_proxy_config', when: enable_ssh_proxy_config }
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 78a9c64dd1c32f71b814c84c574a1a6f2e7532df..2e8fa6cc7a46824fefb6df6e46bd2d01767512e8 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -42,3 +42,7 @@
 # AWS credentials
   LTS_ACCESS_KEY: ""
   LTS_SECRET_KEY: ""
+
+# ssh proxy
+  enable_ssh_proxy_config: false
+  sshpiper_dest_dir: "/opt/sshpiper"
diff --git a/ansible/group_vars/prod b/ansible/group_vars/prod
index 7c7964e651ecc4989d6bedcabc6db42feeb35914..5c694d2616f0e716ec537662469d9c7ec307d2ff 100644
--- a/ansible/group_vars/prod
+++ b/ansible/group_vars/prod
@@ -17,3 +17,8 @@
   bright_openldap_path: "/cm/local/apps/openldap"
   ldap_cert_path: "{{bright_openldap_path}}/etc/certs"
   ldap_uri: "ldaps://ldapserver"
+
+  # proxy_config
+  target_groups:
+    - {"name": "gpfs5", "host": "login002", "default": False, "authorized_keys":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
+    - {"name": "gpfs4", "host": "login001", "default": True, "authorized_keys":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
diff --git a/ansible/roles/ssh_proxy_config/tasks/main.yml b/ansible/roles/ssh_proxy_config/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d3ec3bd59c405a5d1e4c0c85cab45ec9d8c6b9ca
--- /dev/null
+++ b/ansible/roles/ssh_proxy_config/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: Configure sshpiper yaml plugin
+  ansible.builtin.template:
+    src: sshpiperd.yaml.j2
+    dest: "{{ sshpiper_dest_dir }}/sshpiperd.yaml"
+    backup: true
+
+- name: Enable and start sshpiper service
+  ansible.builtin.service:
+    name: sshpiperd
+    enabled: true
+    state: restarted
+
diff --git a/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2 b/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4597108b3d5c3416d8edb38159dda0f37432a1b9
--- /dev/null
+++ b/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/tg123/sshpiper/master/plugin/yaml/schema.json
+version: "1.0"
+pipes:
+{% for group in target_groups %}
+{% if not group.default %}
+- from:
+    - groupname: "{{ group.name }}"
+      authorized_keys: "{{ group.authorized_keys }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+    private_key: "{{ group.private_key }}"
+- from:
+    - groupname: "{{ group.name }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+{% else %}
+- from:
+    - username: ".*" # catch all
+      username_regex_match: true
+      authorized_keys: "{{ group.authorized_keys }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+    private_key: "{{ group.private_key }}"
+{% endif %}
+{% endfor %}