Hi, Not sure if this question belongs here or on the ansible_development list, but let me start here.
Do Ansible AWS modules support STS.assume_role <http://boto.readthedocs.org/en/latest/ref/sts.html> to obtain temporary credentials and use them to sign API requests for multiple accounts? Use case: * pre-condition: multiple AWS accounts have a role with trust relationship with instance hosting Ansible * Invoke ec2, ec2_ami, rds, s3 or any other AWS cloud Ansible module targeting resources in multiple AWS accounts (using temporary credentials obtained from STS assume_role for each account) For example, snapshot all the volumes for all the instances tagged with 'prod' in all of my AWS accounts (using trust relationships and not using a bunch of AWS credentials laying around file system) with straight boto this would look something like this: import boto stsConn = boto.connect_sts() for (account in accounts): role = stsConn.assume_role('arn:aws:iam::%s:role/MyRole' % account, 'mySession') ec2conn = boto.connect_ec2(aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) #ec2conn.do_something() s3conn = boto.connect_s3(aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) #s3conn.do_something() ## etc for other AWS resources Basically, is it possible to insert "assume_role" before a module calls "connect", and do it for multiple accounts? Thanks in advance, -Boris -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1fe509d3-d96f-4abb-8a49-fc4245f7e252%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
