Hi All,
How can we manage AWS resources by Ansible without Access Keys and Secret Access Keys ?
There is a requirement to use Ansible server to manage AWS, but should not use access and secret keys for security policy in the project.
We have to use only IAM role based access for this.
Which IAM role can be used ? what are the policies need to attached with the role ?
Please give some suggestions.
Thank you in advance.
Regards,
Saravanan S
It sounds as if you need to run ansible on an AWS instance, and create an instance policy for the instance. Read up on instance policies in the AWS doco.
The simplest instance policy is just a role that gives the instance AdministratorAccess, but depending on what you are planning to use Ansible to do, that may be overkill. You should avoid giving an instance too much power, just as you should avoid giving a user too much power.
The big advantage of using an instance policy is that software on the instance - like Ansible - can do anything the instance is allowed to do, without having to worry about IAM users, access keys or secrets of any kind (although you will need to be able to log into the instance to do stuff).
The other thing you can do is attach a limited instance policy first, and change it later - any change to the role will be effective almost immediately.
Regards, K.
Thanks for your reply.
I will create role with limited policy and check it.
Even If we assign roles, how to write playbooks without access and secret access keys , keys in variable file or export ACCESS_KEYS…etc.
For below example, without keys variable, how ansible will communicate AWS API ?
Regards,
Saravanan S
Thanks for your reply.
I will create role with limited policy and check it.
Even If we assign roles, how to write playbooks without access and secret access keys , keys in variable file or export ACCESS_KEYS…etc.
For below example, without keys variable, how ansible will communicate AWS API ?
- name: create ec2 instance
ec2:
aws_access_key: “xxxxxxxxxxxx” <----- without this line
aws_secret_key: “xxxxxxxxxxxx” <----- without this line
image: ami-abcdefghi
wait: yes
instance_type: t2.micro
group_id: security_group.group_id
region: us-east-2
count_tag:
Name: webserver
exact_count: 1
register: ec2
Those two options are mandatory for the module to work, you cannot just skip them.
AWS provides you with temporary credentials based that give access to the iam policy the machine is assigned.
You should be able to retrieve those from the instance’s metadata:
When you have set up some (initially restricted, as Karl said) policy, I suggest using the ec2_metadata_facts module to find the temporary credentials:
https://docs.ansible.com/ansible/2.4/ec2_metadata_facts_module.html
Then simply refer to the appropriate keys in your ec2 task.
Dick
If the tasks are being carried out on the Ansible server, then you just leave out the access keys and so on. If the tasks are being carried out on other hosts, then those hosts are the ones that will need AWS access, either via an instance policy or via access keys etc. And Ansible will need suitable credentials to access the hosts it is running the tasks on.
Regards, K.
I have used the ec2 module a LOT on a build host with an instance policy and have never had to include those two items. I simply omit them. The module still works fine.
So I think you CAN “just skip them”… as long as you have an appropriate instance policy. And (obviously) as long as Ansible is executing the module on the system with the instance policy!
Regards, K.
Thank you Karl and Dick.