We have been using the cloudformation module for quite some time, and now need to use it with STS temporary credentials, but the cloudformation module (among others) does not appear to support the AWS Security Token.
Are you open to a pull request to extend get_ec2_creds() in module_utils/ec2.py to include the security token, and to update all consuming modules, including cloudformation, to receive aws_security_token if it is set. if there’s a better way of approaching getting support for Roles / STS in place within the Ansible cloud modules (and cloudformation in particular, our immediate need) please let us know. Thanks!!
I’ve responded on your PR, but will also mention it here - the PR looks great, with only one minor change to the documentation required. However, since we’re going to be splitting the modules up into a separate repo in the very near future, this will require the PR to be split since there are changes to both the core/common code and the modules themselves. So I’ve closed the PR for now, so that this can be reworked after the splitting of the modules is complete.
If you have any further questions about the PR, or the module split, just let us know.
In addition to James’ feedback about the modules split, the cloudformation module should use the get_aws_connection_info method rather than ec2_connect (as it’s not an ec2 module) - the method does set security_token.
Moving cloudformation to use get_aws_connection_info would definitely be an improvement.
Thanks for the feedback on the PR and sorry that it’s been a few weeks. We are happy to take on changes to the docs and to the split into two PRs based on the split of modules from core, as described by James. I’ll also look more closely at get_aws_connection_info as suggested by Will.
James - do you have any steer on the likely timeframe for the split, and when I should return to this (maybe its ready to go now?)
I’d love to get the PR into mainline; don’t like to be maintaining our own fork.
Things are largely the same as the prior PR, just separated into distinct chunks based on your recent refactor into submodules. I did notice that sources naming and ordering for security credentials were somewhat inconsistent across modules so I tried to clean that up.
If these PRs are accepted and applied as well to the v2 refactoring, I believe that get_ec2_creds() could be deprecated as we’re using get_aws_connection_info() everywhere.
Please let me know if you have any questions or have further suggestions.