As a proof of concept, I did some work for a client to build a custom credential lookup plugin that allows you to use AWS IAM Role Assumption when automating AWS targets. The Credential Lookup uses either the default execution environment AWS creds, or provided creds, then uses the AWS AssumeRole API to assume another AWS IAM Role, then returns the temporarily assumed credentials for use in the actual execution job.
Effectively, this means you don’t have to store long-lived credentials for an AWS account with wide-ranging permissions over a large AWS estate.
Is there any interest in me tidying this up and contributing it to the AWX project?