Hello,
I have a requirement of executing AWS-CLI(s) through Ansible playbook to fetch the AWS health data. I want to understand, what all pre-requisites and the authentication process needs to be fulfilled to successfully execute aws-cli from Ansible?
Could anyone please help.
Ansible isn’t doing anything special here, the requirements are set by aws-cli.
See aws-cli docs about that.
If you choose to use environment variables for authentication, then you can set them for a play or task as well, like so:
- hosts: localhost
# Global for all tasks
environment:
AWS_ACCESS_KEY_ID: "{{ aws_access_key_id }}"
AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}"
tasks:
- name: Execute aws cli
ansible.builtin.command:
cmd: aws ...
# Or separately for each task
environment:
AWS_ACCESS_KEY_ID: "{{ aws_access_key_id }}"
AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}"
But what exactly do you need to to?
Generally its not a good practice to use command/shell module whenever possible and there may be existing plugin in amazon.aws or community.aws collections that suit your needs.
Thanks for your prompt response! Basically, I am trying to fetch the scheduled maintenance data from AWS Health and for this there are no aws ansible module available. So, planning to use AWS CLI through Ansible playbook.
So, you are saying to execute AWS-CLI from Ansible, it is just the account [which is used to execute AWS CLI] needs “Access Key id” and “Secret Access Key” generated from AWS portal. Is my understanding correct?
That’s not the only option, but yes you are correct.
It’s good to create a separate IAM user with limited privileges though.
In case these credentials will leak they can only access the monitoring data that way.
In case your ansible target is an EC2 instance, you could also use instamce profile credentials which would be picked up by aws cli automatically.
But thats all out of scope for ansible, but specifics of aws cli.
Hi @kristianheljas,
Apart from this IAM user creation and assigning roles, I hope we need to install aws-cli on the server where we run the playbook, if we run the playbook on local host that is controller then aws-cli is to be installed on the controller itself, Correct me if I am wrong.
Also is there any another pre-requisite for proper connection from Ansible to aws, Like port opening and others?
Thats correct. If you target localhost, then youd need aws-cli on the local machine (controller node). If you plan to run ansible locally targeting a remote machine, thend youd need aws-cli on the remote machine.
That depends how you plan to run ansible. If you will run ansible locally on your machine along with aws-cli you dont need to open any port. AWS apis are publicly accessible.
If you intend to run ansible in aws instance or target the aws instance then yes, you’d need to ensure SSH connection availability to the instance.
Thanks a lot for the inputs @kristianheljas. Would reach out here in case of any further concerns while setting up and execution.