Vaulted credentials with AWS Dynamic Inventory?

Is it possible to pass AWS credentials from Ansible Vault directly to the AWS Dynamic Inventory config file (*.aws_ec2.yml), without having to reference them in the playbook or decrypt on the go and export as environment variables?

Yes, you can use templating for the credential parameters.

There’s a (sort of) example in the integration tests.

This looks a little strange in the test because, due to the way the tests are run, the test that file is also a template (yeah this gets a little inception-esque). It eventually looks something like:

plugin: amazon.aws.aws_ec2
access_key: '{{ lookup("env", "MY_ACCESS_KEY") }}'
secret_key: my_aws_secret_key
session_token: my_security_token

regions:
- '{{ lookup("ansible.builtin.ini", "region", section="ansible-test", file="config.ini") }}'
filters:
  tag:Name:
  - my_resource_prefix
hostnames:
- tag:Name
- dns-name

While this example uses the “ansible.builtin.ini” and “env” lookups, you can also use a vault lookup.

2 Likes