Multiple AWS accounts and STS assume_role support

Boris1 · December 23, 2014, 1:02am

Hi,
Not sure if this question belongs here or on the ansible_development list, but let me start here.

Do Ansible AWS modules support STS.assume_role to obtain temporary credentials and use them to sign API requests for multiple accounts?

Use case:

pre-condition: multiple AWS accounts have a role with trust relationship with instance hosting Ansible
Invoke ec2, ec2_ami, rds, s3 or any other AWS cloud Ansible module targeting resources in multiple AWS accounts (using temporary credentials obtained from STS assume_role for each account)

For example, snapshot all the volumes for all the instances tagged with ‘prod’ in all of my AWS accounts (using trust relationships and not using a bunch of AWS credentials laying around file system)

with straight boto this would look something like this:

import boto

stsConn = boto.connect_sts()

for (account in accounts):

role = stsConn.assume_role(‘arn:aws:iam::%s:role/MyRole’ % account, ‘mySession’)

ec2conn = boto.connect_ec2(aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token)

#ec2conn.do_something()

s3conn = boto.connect_s3(aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token)

#s3conn.do_something()

etc for other AWS resources

Basically, is it possible to insert “assume_role” before a module calls “connect”, and do it for multiple accounts?

Thanks in advance,
-Boris

Boris1 · December 23, 2014, 4:19pm

Here is my “solution” at the moment. Hoping to find something more elegant…

tasks:

shell: aws sts assume-role --role-arn “arn:aws:iam::XXXXXXXXXXXX:role/myRole” --role-session-name mySession

register: role

set_fact:
accessKeyId: “{{ (role.stdout | from_json).Credentials.AccessKeyId }}”
secretAccessKey: “{{ (role.stdout | from_json).Credentials.SecretAccessKey }}”
sessionToken: “{{ (role.stdout | from_json).Credentials.SessionToken }}”
ec2_tag: resource=i-XXXXXXXX region=us-west-1 state=present
args:
aws_access_key: “{{ accessKeyId }}”
aws_secret_key: “{{ secretAccessKey }}”
security_token: “{{ sessionToken }}”
tags:
Name: myInstanceName

Thoughts? Would it make sense to have a module doing this?

-Boris

Darvin_Denmian · July 2, 2015, 8:53pm

Does somebody solved this?
Is the proposed solution given by Boris the only way to do that?

Thanks in advance.

kevin_fernandes · July 3, 2015, 12:21pm

Hi,

I have a pull request for ec2.py to support multiple AWS accounts via STS.

https://github.com/ansible/ansible/pull/11321

I have a readme with the steps to setup with STS.

https://github.com/linuxbsdfreak/ansible-ec2-sts

Regards,
Kevin

Topic		Views
Help with Amazon STS Module [sts_assume_role] Ansible Project fedora , rhel , aws	0	May 22, 2017
Question regarding aws_sts_assumerole Ansible Developer	2	July 20, 2020
Use STS Assumed-Role to query EC2 inventory - Does this work? Ansible Project aws	1	March 10, 2016
ec2.py and multiple AWS accounts via AWS STS Ansible Project aws	0	June 15, 2015
Question regarding aws_sts_assumerole Ansible Project	0	July 16, 2020

Multiple AWS accounts and STS assume_role support

etc for other AWS resources

Related topics