On my ansible control server i was able to connect to target ec2 instance using AWS SSM connectivity. To achieve this my inventory had the instance-id followed by profile-details, aws_region
in the ansible control server under the path ~/.aws/ i have 2 files,
config and credentials
in config file, the profile has been mentioned along with the ARN of IAM role of the target AWS account where the EC2 instance resides. And a reference is made to the credentials.
In the credentials file, AWS access key ID, secret access key and session token is present.
In the playbook s3 bucket is mentioned.
After having all these, the connectivity works perfectly.
Now i need to have the connectivity achieved via AWX. What are the steps that needs to be followed. Let me know if more explanation is required.
I was able to figure out the solution. This requires custom execution environment. Which means, the container has to be built and stored in a registry and should be used as execution environment.
During the build of container, below has to be present:
###aws Config
RUN mkdir -p /root/.aws
It’s not a good idea to store credentials directly on a container image. Anyone who can do a. Docker image pull will be able to look at your AWS credentials since they’re baked in to it.
@mcen1 your right but the only disadvantage of this method is that these are sts of a IAM role and they will expire. So the solution is not a cannot be considered as a perfect working solution. Need to explore other options.
Not enough details for me to offer ideas, but I’ve accomplished similar solutions utilizing a custom credential type (or using a secrets store) and have the Ansible playbook set up the necessary config files based off the Fred’s variables (or what was retrieved from the secret store).
I was able to achieve SSM connectivity to a EC2 instance which is in a different account by following the below steps. Its a lengthy process, but the below solution works for me.
I have an aws account where the AWX is hosted. Lets consider that as Account A, and the target account as B where the ec2 instance exist and i need to run my ansible template against.
Create a IAM Role eg: ssm-connectivity-poc in both the accounts. And for the role in account B, under the trust relations provide the ARN of the iam role ssm-connectivity-poc of Account A. This is the foundation of the connectivity.
In the Container below folder has to be present i.e,
/root/.aws/
Now during my template execution i use execution node. So on this execution node i have place the config file and the credentials file. The credentials file has the sts of IAM role ssm-connectivity-poc which is refreshed frequently using an automation that i have setup.
In AWX, job setting there is an option to fetch files from execution node to the containers (AWS EE), with the help of this im pulling the config file and credentials file dynamically
Inventory is one of the Key and most important aspect in the whole AWS-SSM via AWX process. In the inventory for linux, i had to provide the instance-id followed by ansible_connection, ansible_aws_ssm_profile, ansible_aws_ssm_region, ansible_remote_tmp and ansible_aws_ssm_bucket_name
If the above steps are in place AWS-SSM connectivity via AWX will work