Thank you Karl and Dick.
On Thursday, January 3, 2019 at 5:32:29 PM UTC+5:30, Karl Auer wrote: > > I have used the ec2 module a LOT on a build host with an instance policy > and have never had to include those two items. I simply omit them. The > module still works fine. > > So I think you CAN "just skip them"... as long as you have an appropriate > instance policy. And (obviously) as long as Ansible is executing the module > on the system with the instance policy! > > Regards, K. > > > On Thu, Jan 3, 2019 at 3:35 PM Dick Visser <[email protected] > <javascript:>> wrote: > >> >> >> On Wed, 2 Jan 2019 at 17:56, S Saravanan <[email protected] >> <javascript:>> wrote: >> >>> Thanks for your reply. >>> >>> I will create role with limited policy and check it. >>> >>> Even If we assign roles, how to write playbooks without access and >>> secret access keys , keys in variable file or export ACCESS_KEYS......etc. >>> >>> For below example, without keys variable, how ansible will communicate >>> AWS API ? >>> >>> - name: create ec2 instance >>> ec2: >>> aws_access_key: "xxxxxxxxxxxx" <----- without >>> this line >>> aws_secret_key: "xxxxxxxxxxxx" <----- without >>> this line >>> image: ami-abcdefghi >>> wait: yes >>> instance_type: t2.micro >>> group_id: security_group.group_id >>> region: us-east-2 >>> count_tag: >>> Name: webserver >>> exact_count: 1 >>> register: ec2 >>> >> >> Those two options are mandatory for the module to work, you cannot just >> skip them. >> AWS provides you with temporary credentials based that give access to the >> iam policy the machine is assigned. >> You should be able to retrieve those from the instance’s metadata: >> >> >> https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials >> >> When you have set up some (initially restricted, as Karl said) policy, I >> suggest using the ec2_metadata_facts module to find the temporary >> credentials: >> >> https://docs.ansible.com/ansible/2.4/ec2_metadata_facts_module.html >> >> Then simply refer to the appropriate keys in your ec2 task. >> >> Dick >> >> >> >> Regards, >>> Saravanan S >>> >>> On Wednesday, January 2, 2019 at 5:10:21 PM UTC+5:30, Karl Auer wrote: >>>> >>>> It sounds as if you need to run ansible on an AWS instance, and create >>>> an instance policy for the instance. Read up on instance policies in the >>>> AWS doco. >>>> >>>> The simplest instance policy is just a role that gives the instance >>>> AdministratorAccess, but depending on what you are planning to use Ansible >>>> to do, that may be overkill. You should avoid giving an instance too much >>>> power, just as you should avoid giving a user too much power. >>>> >>>> The big advantage of using an instance policy is that software on the >>>> instance - like Ansible - can do anything the instance is allowed to do, >>>> without having to worry about IAM users, access keys or secrets of any >>>> kind >>>> (although you will need to be able to log into the instance to do stuff). >>>> >>>> The other thing you can do is attach a limited instance policy first, >>>> and change it later - any change to the role will be effective almost >>>> immediately. >>>> >>>> Regards, K. >>>> >>>> On Wed, Jan 2, 2019 at 10:13 PM S Saravanan <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> How can we manage AWS resources by Ansible without Access Keys and >>>>> Secret Access Keys ? >>>>> There is a requirement to use Ansible server to manage AWS, but should >>>>> not use access and secret keys for security policy in the project. >>>>> We have to use only IAM role based access for this. >>>>> Which IAM role can be used ? what are the policies need to attached >>>>> with the role ? >>>>> >>>>> Please give some suggestions. >>>>> >>>>> Thank you in advance. >>>>> >>>>> Regards, >>>>> Saravanan S >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To post to this group, send email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/0791a097-c8bf-457a-8ab7-ed307df1fc70%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/ansible-project/0791a097-c8bf-457a-8ab7-ed307df1fc70%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>>> -- >>>> Karl Auer >>>> >>>> Email : [email protected] >>>> Website: http://2pisoftware.com >>>> >>>> GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816 >>>> Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> To post to this group, send email to [email protected] >>> <javascript:>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/c075f219-cdd5-4b2b-b576-12bbf05b37c9%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/ansible-project/c075f219-cdd5-4b2b-b576-12bbf05b37c9%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> Sent from a mobile device - please excuse the brevity, spelling and >> punctuation. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CAL8fbwM2UFhSZhYhFx3OA6F1jibD9YPw-KS5WvaDc0NS8huW5g%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/ansible-project/CAL8fbwM2UFhSZhYhFx3OA6F1jibD9YPw-KS5WvaDc0NS8huW5g%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > -- > Karl Auer > > Email : [email protected] <javascript:> > Website: http://2pisoftware.com > > GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816 > Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/efac179a-3baf-49e6-be81-308e3939b9f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
