Does somebody solved this? Is the proposed solution given by Boris the only way to do that?
Thanks in advance. On Tue, Dec 23, 2014 at 2:19 PM, Boris <[email protected]> wrote: > Here is my "solution" at the moment. Hoping to find something more > elegant... > > tasks: > - shell: aws sts assume-role --role-arn > "arn:aws:iam::XXXXXXXXXXXX:role/myRole" --role-session-name mySession > register: role > > - set_fact: > accessKeyId: "{{ (role.stdout | from_json).Credentials.AccessKeyId > }}" > secretAccessKey: "{{ (role.stdout | > from_json).Credentials.SecretAccessKey }}" > sessionToken: "{{ (role.stdout | from_json).Credentials.SessionToken > }}" > > - ec2_tag: resource=i-XXXXXXXX region=us-west-1 state=present > args: > aws_access_key: "{{ accessKeyId }}" > aws_secret_key: "{{ secretAccessKey }}" > security_token: "{{ sessionToken }}" > tags: > Name: myInstanceName > > Thoughts? Would it make sense to have a module doing this? > > -Boris > > On Monday, December 22, 2014 5:03:00 PM UTC-8, Boris wrote: >> >> Hi, >> Not sure if this question belongs here or on the ansible_development >> list, but let me start here. >> >> Do Ansible AWS modules support STS.assume_role >> <http://boto.readthedocs.org/en/latest/ref/sts.html> to obtain temporary >> credentials and use them to sign API requests for multiple accounts? >> >> Use case: >> * pre-condition: multiple AWS accounts have a role with trust >> relationship with instance hosting Ansible >> * Invoke ec2, ec2_ami, rds, s3 or any other AWS cloud Ansible module >> targeting resources in multiple AWS accounts (using temporary credentials >> obtained from STS assume_role for each account) >> For example, snapshot all the volumes for all the instances tagged with >> 'prod' in all of my AWS accounts (using trust relationships and not using a >> bunch of AWS credentials laying around file system) >> >> with straight boto this would look something like this: >> >> import boto >> stsConn = boto.connect_sts() >> for (account in accounts): >> role = stsConn.assume_role('arn:aws:iam::%s:role/MyRole' % account, >> 'mySession') >> ec2conn = >> boto.connect_ec2(aws_access_key_id=role.credentials.access_key, >> aws_secret_access_key=role.credentials.secret_key, >> security_token=role.credentials.session_token) >> #ec2conn.do_something() >> s3conn = >> boto.connect_s3(aws_access_key_id=role.credentials.access_key, >> aws_secret_access_key=role.credentials.secret_key, >> security_token=role.credentials.session_token) >> #s3conn.do_something() >> ## etc for other AWS resources >> >> >> Basically, is it possible to insert "assume_role" before a module calls >> "connect", and do it for multiple accounts? >> >> Thanks in advance, >> -Boris >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/80093c01-9c0c-4b24-8376-f152e23d5164%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/80093c01-9c0c-4b24-8376-f152e23d5164%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAKz6g-1pgn607KB6Wt9WmSyT0pSzVCDAexxzYKwUx8H9tRBxmw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
