[ansible-project] Re: AWS credentials not working with cross account role

[Craig Wilson]

I have managed to get it working by setting the assume role values for 
ansible modules and then setting the AWS_PROFILE env variable for the shell 
commands, at least it seems to work fine.

Credentials file:

# credentials
[default]
region=us-west-2
aws_access_key_id=PARENTACCOUNTKEY
aws_secret_access_key=PARENTSECRETKEY


[childprofile]
role_arn=arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME
source_profile=default




Playbook:
pre_tasks:
- sts_assume_role:
    role_arn: "arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME"
    role_session_name: "someRoleSession"
    region: 'eu-west-1'
    profile: "default"
    register: assumed_role


environment:


    AWS_ACCESS_KEY: "{{ assumed_role.sts_creds.access_key }}"
    AWS_SECRET_KEY: "{{ assumed_role.sts_creds.secret_key }}"
    AWS_SECURITY_TOKEN: "{{ assumed_role.sts_creds.session_token }}"
    AWS_PROFILE: 'childprofile'
    AWS_DEFAULT_REGION: '{{ aws_region }}'


On Tuesday, 20 February 2018 10:08:27 UTC, Craig Wilson wrote:
>
> Hello
>
> I've been trying to get my team at work to adopt better credential 
> management but I'm struggling to get ansible working with the aws cli 
> credentials file. My credentials file seems to work just fine with aws cli 
> and directly using boto in a python script but not in ansible. My file is 
> setup as below
>
> # credentials
> [default]
> aws_access_key_id=PARENTKEY
> aws_secret_access_key=PARENTSECRETKEY
>
> [childprofile]
> role_arn=arn:aws:iam::########:role/groupname
> source_profile=default
>
>
> but when I execute the playbook I just get 
>     "msg": "Profile given for AWS was not found.  Please fix and retry."
>
> I know that the profile name is being correctly as this is shown in the 
> verbose output
>
> <localhost> EXEC /bin/sh -c 'AWS_PROFILE=childprofile /usr/bin/python 
> /home/user/.ansible/tmp/ansible-tmp-1519121014.43-259509127929346/ec2_vpc_net.py;
>  
> rm -rf "/home/user/.ansible/tmp/ansible-tmp-1519121014.43-259509127929346/" 
> > /dev/null 2>&1 && sleep 0'
>
> and I know that the credentials file works because if I replace the role 
> and the source_profile with aws_access_key and aws_secret_access_key it 
> works. 
>
> I've been looking at this for a few days and can't figure it out. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5b9ae3fa-e3a7-4e41-b8c0-63360679cdc0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.