AWS credentials not working with cross account role

Archives Ansible Project
1

Hello

I’ve been trying to get my team at work to adopt better credential management but I’m struggling to get ansible working with the aws cli credentials file. My credentials file seems to work just fine with aws cli and directly using boto in a python script but not in ansible. My file is setup as below

`

credentials

[default]
aws_access_key_id=PARENTKEY
aws_secret_access_key=PARENTSECRETKEY

[childprofile]
role_arn=arn:aws:iam::########:role/groupname
source_profile=default

`

but when I execute the playbook I just get

`

“msg”: “Profile given for AWS was not found. Please fix and retry.”

`

I know that the profile name is being correctly as this is shown in the verbose output

`

EXEC /bin/sh -c ‘AWS_PROFILE=childprofile /usr/bin/python /home/user/.ansible/tmp/ansible-tmp-1519121014.43-259509127929346/ec2_vpc_net.py; rm -rf “/home/user/.ansible/tmp/ansible-tmp-1519121014.43-259509127929346/” > /dev/null 2>&1 && sleep 0’

`

and I know that the credentials file works because if I replace the role and the source_profile with aws_access_key and aws_secret_access_key it works.

I’ve been looking at this for a few days and can’t figure it out.

2

I have managed to get it working by setting the assume role values for ansible modules and then setting the AWS_PROFILE env variable for the shell commands, at least it seems to work fine.

Credentials file:

`

credentials

[default]
region=us-west-2
aws_access_key_id=PARENTACCOUNTKEY
aws_secret_access_key=PARENTSECRETKEY

[childprofile]
role_arn=arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME
source_profile=default

`

Playbook:
`
pre_tasks:

  • sts_assume_role:
    role_arn: “arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME”
    role_session_name: “someRoleSession”
    region: ‘eu-west-1’
    profile: “default”
    register: assumed_role

environment:

AWS_ACCESS_KEY: “{{ assumed_role.sts_creds.access_key }}”
AWS_SECRET_KEY: “{{ assumed_role.sts_creds.secret_key }}”
AWS_SECURITY_TOKEN: “{{ assumed_role.sts_creds.session_token }}”
AWS_PROFILE: ‘childprofile’
AWS_DEFAULT_REGION: ‘{{ aws_region }}’
`