Here is my "solution" at the moment. Hoping to find something more
elegant...
tasks:
- shell: aws sts assume-role --role-arn
"arn:aws:iam::XXXXXXXXXXXX:role/myRole" --role-session-name mySession
register: role
- set_fact:
accessKeyId: "{{ (role.stdout | from_json).Credentials.AccessKeyId }}"
secretAccessKey: "{{ (role.stdout |
from_json).Credentials.SecretAccessKey }}"
sessionToken: "{{ (role.stdout | from_json).Credentials.SessionToken
}}"
- ec2_tag: resource=i-XXXXXXXX region=us-west-1 state=present
args:
aws_access_key: "{{ accessKeyId }}"
aws_secret_key: "{{ secretAccessKey }}"
security_token: "{{ sessionToken }}"
tags:
Name: myInstanceName
Thoughts? Would it make sense to have a module doing this?
-Boris
On Monday, December 22, 2014 5:03:00 PM UTC-8, Boris wrote:
>
> Hi,
> Not sure if this question belongs here or on the ansible_development list,
> but let me start here.
>
> Do Ansible AWS modules support STS.assume_role
> <http://boto.readthedocs.org/en/latest/ref/sts.html> to obtain temporary
> credentials and use them to sign API requests for multiple accounts?
>
> Use case:
> * pre-condition: multiple AWS accounts have a role with trust relationship
> with instance hosting Ansible
> * Invoke ec2, ec2_ami, rds, s3 or any other AWS cloud Ansible module
> targeting resources in multiple AWS accounts (using temporary credentials
> obtained from STS assume_role for each account)
> For example, snapshot all the volumes for all the instances tagged with
> 'prod' in all of my AWS accounts (using trust relationships and not using a
> bunch of AWS credentials laying around file system)
>
> with straight boto this would look something like this:
>
> import boto
> stsConn = boto.connect_sts()
> for (account in accounts):
> role = stsConn.assume_role('arn:aws:iam::%s:role/MyRole' % account,
> 'mySession')
> ec2conn =
> boto.connect_ec2(aws_access_key_id=role.credentials.access_key,
> aws_secret_access_key=role.credentials.secret_key,
> security_token=role.credentials.session_token)
> #ec2conn.do_something()
> s3conn =
> boto.connect_s3(aws_access_key_id=role.credentials.access_key,
> aws_secret_access_key=role.credentials.secret_key,
> security_token=role.credentials.session_token)
> #s3conn.do_something()
> ## etc for other AWS resources
>
>
> Basically, is it possible to insert "assume_role" before a module calls
> "connect", and do it for multiple accounts?
>
> Thanks in advance,
> -Boris
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/80093c01-9c0c-4b24-8376-f152e23d5164%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
