Hi, I have a pull request for ec2.py to support multiple AWS accounts via STS.
https://github.com/ansible/ansible/pull/11321 I have a readme with the steps to setup with STS. https://github.com/linuxbsdfreak/ansible-ec2-sts Regards, Kevin On Thursday, July 2, 2015 at 10:54:15 PM UTC+2, Erick Barros wrote: > > Does somebody solved this? > Is the proposed solution given by Boris the only way to do that? > > Thanks in advance. > > On Tue, Dec 23, 2014 at 2:19 PM, Boris <[email protected] <javascript:>> > wrote: > >> Here is my "solution" at the moment. Hoping to find something more >> elegant... >> >> tasks: >> - shell: aws sts assume-role --role-arn >> "arn:aws:iam::XXXXXXXXXXXX:role/myRole" --role-session-name mySession >> register: role >> >> - set_fact: >> accessKeyId: "{{ (role.stdout | from_json).Credentials.AccessKeyId >> }}" >> secretAccessKey: "{{ (role.stdout | >> from_json).Credentials.SecretAccessKey }}" >> sessionToken: "{{ (role.stdout | >> from_json).Credentials.SessionToken }}" >> >> - ec2_tag: resource=i-XXXXXXXX region=us-west-1 state=present >> args: >> aws_access_key: "{{ accessKeyId }}" >> aws_secret_key: "{{ secretAccessKey }}" >> security_token: "{{ sessionToken }}" >> tags: >> Name: myInstanceName >> >> Thoughts? Would it make sense to have a module doing this? >> >> -Boris >> >> On Monday, December 22, 2014 5:03:00 PM UTC-8, Boris wrote: >>> >>> Hi, >>> Not sure if this question belongs here or on the ansible_development >>> list, but let me start here. >>> >>> Do Ansible AWS modules support STS.assume_role >>> <http://boto.readthedocs.org/en/latest/ref/sts.html> to obtain >>> temporary credentials and use them to sign API requests for multiple >>> accounts? >>> >>> Use case: >>> * pre-condition: multiple AWS accounts have a role with trust >>> relationship with instance hosting Ansible >>> * Invoke ec2, ec2_ami, rds, s3 or any other AWS cloud Ansible module >>> targeting resources in multiple AWS accounts (using temporary credentials >>> obtained from STS assume_role for each account) >>> For example, snapshot all the volumes for all the instances tagged with >>> 'prod' in all of my AWS accounts (using trust relationships and not using a >>> bunch of AWS credentials laying around file system) >>> >>> with straight boto this would look something like this: >>> >>> import boto >>> stsConn = boto.connect_sts() >>> for (account in accounts): >>> role = stsConn.assume_role('arn:aws:iam::%s:role/MyRole' % account, >>> 'mySession') >>> ec2conn = >>> boto.connect_ec2(aws_access_key_id=role.credentials.access_key, >>> aws_secret_access_key=role.credentials.secret_key, >>> security_token=role.credentials.session_token) >>> #ec2conn.do_something() >>> s3conn = >>> boto.connect_s3(aws_access_key_id=role.credentials.access_key, >>> aws_secret_access_key=role.credentials.secret_key, >>> security_token=role.credentials.session_token) >>> #s3conn.do_something() >>> ## etc for other AWS resources >>> >>> >>> Basically, is it possible to insert "assume_role" before a module calls >>> "connect", and do it for multiple accounts? >>> >>> Thanks in advance, >>> -Boris >>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/80093c01-9c0c-4b24-8376-f152e23d5164%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/80093c01-9c0c-4b24-8376-f152e23d5164%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/79868136-5bbf-437f-a794-ecd58af192d3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
