It sounds as if you need to run ansible on an AWS instance, and create an instance policy for the instance. Read up on instance policies in the AWS doco.
The simplest instance policy is just a role that gives the instance AdministratorAccess, but depending on what you are planning to use Ansible to do, that may be overkill. You should avoid giving an instance too much power, just as you should avoid giving a user too much power. The big advantage of using an instance policy is that software on the instance - like Ansible - can do anything the instance is allowed to do, without having to worry about IAM users, access keys or secrets of any kind (although you will need to be able to log into the instance to do stuff). The other thing you can do is attach a limited instance policy first, and change it later - any change to the role will be effective almost immediately. Regards, K. On Wed, Jan 2, 2019 at 10:13 PM S Saravanan <[email protected]> wrote: > Hi All, > > How can we manage AWS resources by Ansible without Access Keys and Secret > Access Keys ? > There is a requirement to use Ansible server to manage AWS, but should not > use access and secret keys for security policy in the project. > We have to use only IAM role based access for this. > Which IAM role can be used ? what are the policies need to attached with > the role ? > > Please give some suggestions. > > Thank you in advance. > > Regards, > Saravanan S > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/0791a097-c8bf-457a-8ab7-ed307df1fc70%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/0791a097-c8bf-457a-8ab7-ed307df1fc70%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Karl Auer Email : [email protected] Website: http://2pisoftware.com GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816 Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2B%2BT08S5Cgd8Xy%2BvhtsRykeXwE02NC2fKrGoqS%2BiWW696%2BymzA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
