I’m looking for any suggestions on how to work around the following issue:
I am trying to use a lookup plugin but it is ignoring my environment variables.
The lookup plugin I am trying to use is credstash and the environment variables are being set because I am using AWS STS to assume a role.
It looks a little like this:
`
---
- name: Get STS token
hosts: "{{ hosts }}"
connection: local
tasks:
- name: Assume role for passed account
sts_assume_role:
region: "{{ aws_region }}"
role_arn: "arn:aws:iam::{{ aws_account_id }}:role/ansible-is_assumed"
role_session_name: ansible_assumed_role
register: assumed_role
when: use_sts
- name: Set environment with AWS creds when available
set_fact:
my_environment:
AWS_ACCESS_KEY_ID: "{{ assumed_role.sts_creds.access_key }}"
AWS_SECRET_ACCESS_KEY: "{{ assumed_role.sts_creds.secret_key }}"
AWS_SECURITY_TOKEN: "{{ assumed_role.sts_creds.session_token }}"
when: assumed_role.skipped is not defined
- name: Set environment blank when no AWS creds
set_fact:
my_environment: {}
when: assumed_role.skipped is defined
- name: Deploy infrastructure role
hosts: "{{ hosts }}"
connection: local
roles:
- "{{ role_to_deploy }}"
environment: "{{ my_environment }}"
`
Now in the role_to_deploy i have lots of tasks that work brilliantly calling out to AWS using the STS credentials supplied as intended.
Unfortunately, any lookup plugins do not work properly because they do not use the environment variables I have set. They end up calling out to AWS using the default credentials rather than being overridden by the STS creds.
I don’t think this is a bug but it is never the less annoying.
I’m hoping maybe one of the core team can think of a way I can get the lookup plugin to ‘see’ my STS environment variables I have set.
The problem is it is the ansible-playbook that is actually going off to get the STS creds using sts_assume_role module so until i run the play, i don’t have the creds.
I guess I could invoke a playbook from within another playbook
however it doesn’t work because environment is evaluated before everything else, so my pre-task has not been run yet and the credentials (assumed_role variable) doesn’t exist .
not sure how to pass credential as environment in this case ?
I recommended to switch to tasks only in your playbook instead of using pre_tasks and roles keywords.
This should solve your problem and in my opinion it also looks more consistent:
Thanks Racke,
sure , so in this case environment is assigned to the tasks level and should therefore not fail cause it is not loaded before runtime.
In the case I have multiple roles, I have to repeat the task as many times as I need a role , lots of duplicate environment then .
Can we pass a list or role in import_roleor include_role? I couldn’t make this working with “loop”
Thanks Racke,
sure , so in this case */environment /*is assigned to the /*tasks */level and should therefore not fail cause it is not
loaded before runtime.
In the case I have multiple roles, I have to repeat the task as many times as I need a role , lots of
duplicate /*environment */then .
Can we pass a list or role in /*import_role */or /*include_role */? I couldn't make this working with "/*loop*/"
cheers
Hello Nico,
Loop is the wrong approach. But you can certainly set up a variable with your desired environment:
Thank you for the proposition, I ve been trying for days to put this in every direction I could but unfortunately 'environment ’
was never passed to ‘import_role’ .
I am not sure how to investigate about import_role module and why environment is not supported , seems impossible to reuse sts.creds then .
Any idea is welcome
but the module doesn’t care and bail with :
ClientError: An error occurred (AccessDenied) when calling the DescribeDBInstances operation: User: arn:aws:iam:::user/myuser is not authorized to perform: rds:DescribeDBInstances on resource
I am losing hope in ansible
What is the point of having a global environment if each and single AWS module requires a set of local credentials ?
please help me understand the logic here,
cheers
same problem, assumed_role is not defined yet, so ansible failed for Undefined variable, although I couldn’t get the syntax you provided to work for the ars var , is that the good syntax ?
I got :
An unhandled exception occurred while templating '{{assumed_role|default({}).sts_creds|default({})}}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: template error while templating string: expected token 'end of print statement', got '.'. String: {{assumed_role|default({}).sts_creds|default({})}}"
