Is it possible to pass AWS credentials from Ansible Vault directly to the AWS Dynamic Inventory config file (*.aws_ec2.yml), without having to reference them in the playbook or decrypt on the go and export as environment variables?
Yes, you can use templating for the credential parameters.
There’s a (sort of) example in the integration tests.
This looks a little strange in the test because, due to the way the tests are run, the test that file is also a template (yeah this gets a little inception-esque). It eventually looks something like:
plugin: amazon.aws.aws_ec2
access_key: '{{ lookup("env", "MY_ACCESS_KEY") }}'
secret_key: my_aws_secret_key
session_token: my_security_token
regions:
- '{{ lookup("ansible.builtin.ini", "region", section="ansible-test", file="config.ini") }}'
filters:
tag:Name:
- my_resource_prefix
hostnames:
- tag:Name
- dns-name
While this example uses the “ansible.builtin.ini” and “env” lookups, you can also use a vault lookup.
2 Likes