Thanks for your reply.
I will create role with limited policy and check it.
Even If we assign roles, how to write playbooks without access and secret
access keys , keys in variable file or export ACCESS_KEYS......etc.
For below example, without keys variable, how ansible will communicate AWS
API ?
- name: create ec2 instance
ec2:
aws_access_key: "xxxxxxxxxxxx" <----- without this
line
aws_secret_key: "xxxxxxxxxxxx" <----- without this
line
image: ami-abcdefghi
wait: yes
instance_type: t2.micro
group_id: security_group.group_id
region: us-east-2
count_tag:
Name: webserver
exact_count: 1
register: ec2
Regards,
Saravanan S
On Wednesday, January 2, 2019 at 5:10:21 PM UTC+5:30, Karl Auer wrote:
>
> It sounds as if you need to run ansible on an AWS instance, and create an
> instance policy for the instance. Read up on instance policies in the AWS
> doco.
>
> The simplest instance policy is just a role that gives the instance
> AdministratorAccess, but depending on what you are planning to use Ansible
> to do, that may be overkill. You should avoid giving an instance too much
> power, just as you should avoid giving a user too much power.
>
> The big advantage of using an instance policy is that software on the
> instance - like Ansible - can do anything the instance is allowed to do,
> without having to worry about IAM users, access keys or secrets of any kind
> (although you will need to be able to log into the instance to do stuff).
>
> The other thing you can do is attach a limited instance policy first, and
> change it later - any change to the role will be effective almost
> immediately.
>
> Regards, K.
>
> On Wed, Jan 2, 2019 at 10:13 PM S Saravanan <[email protected]
> <javascript:>> wrote:
>
>> Hi All,
>>
>> How can we manage AWS resources by Ansible without Access Keys and Secret
>> Access Keys ?
>> There is a requirement to use Ansible server to manage AWS, but should
>> not use access and secret keys for security policy in the project.
>> We have to use only IAM role based access for this.
>> Which IAM role can be used ? what are the policies need to attached with
>> the role ?
>>
>> Please give some suggestions.
>>
>> Thank you in advance.
>>
>> Regards,
>> Saravanan S
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]
>> <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/0791a097-c8bf-457a-8ab7-ed307df1fc70%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/0791a097-c8bf-457a-8ab7-ed307df1fc70%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> Karl Auer
>
> Email : [email protected] <javascript:>
> Website: http://2pisoftware.com
>
> GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816
> Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/c075f219-cdd5-4b2b-b576-12bbf05b37c9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
