[ansible-project] Working around lookup plugin limitation with environment variables

[Rob White]

Hi all,

I'm looking for any suggestions on how to work around the following issue:

I am trying to use a lookup plugin but it is ignoring my environment 
variables.

The lookup plugin I am trying to use is credstash and the environment 
variables are being set because I am using AWS STS to assume a role.

It looks a little like this:

---
- name: Get STS token
  hosts: "{{ hosts }}"
  connection: local
  tasks:
    - name: Assume role for passed account
      sts_assume_role:
        region: "{{ aws_region }}"
        role_arn: "arn:aws:iam::{{ aws_account_id }}:role/ansible-is_assumed"
        role_session_name: ansible_assumed_role
      register: assumed_role
      when: use_sts

    - name: Set environment with AWS creds when available
      set_fact:
        my_environment:
          AWS_ACCESS_KEY_ID: "{{ assumed_role.sts_creds.access_key }}"
          AWS_SECRET_ACCESS_KEY: "{{ assumed_role.sts_creds.secret_key }}"
          AWS_SECURITY_TOKEN: "{{ assumed_role.sts_creds.session_token }}"
      when: assumed_role.skipped is not defined

    - name: Set environment blank when no AWS creds
      set_fact:
        my_environment: {}
      when: assumed_role.skipped is defined

- name: Deploy infrastructure role
  hosts: "{{ hosts }}"
  connection: local
  roles:
    - "{{ role_to_deploy }}"
  environment: "{{ my_environment }}"



Now in the role_to_deploy i have lots of tasks that work brilliantly 
calling out to AWS using the STS credentials supplied as intended.

Unfortunately, any lookup plugins do not work properly because they do not 
use the environment variables I have set.  They end up calling out to AWS 
using the default credentials rather than being overridden by the STS creds.

I don't think this is a bug but it is never the less annoying.

I'm hoping maybe one of the core team can think of a way I can get the 
lookup plugin to 'see' my STS environment variables I have set.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/f75bcf4c-1543-41f0-a259-427dbe8f6265%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.