Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lookup with STS #56551

Open
wants to merge 2 commits into
base: devel
from
Open
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

@@ -100,6 +100,24 @@
debug: msg='key contains {{item.Name}} with value {{item.Value}} '
loop: '{{ query("aws_ssm", "/TEST/test-list", region="ap-southeast-2", bypath=true) }}'
# Example using STS temporary credentials
---
- name: STS AssumeRole
sts_assume_role:
role_arn: 'arn:aws:iam::<acc_id>:role/<role_name>'
role_session_name: "{{ aws_sts_session_name | default('ansible-session') }}"
region: '<region_name>'

This comment has been minimized.

Copy link
@s-hertel

s-hertel May 29, 2019

Contributor

In case people copy and paste this, either make '<region_name>' a variable or replace the string with a valid one. Below too. But I think creating temporary credentials for plugins/modules should be documented somewhere more central since this isn't specific to this plugin.

Also, since this plugin uses boto3 a nicer way to do this is use a profile in your config file (usually found at ~/.aws/config) that has a source profile and the role to assume. For example:

# In ~/.aws/credentials:
[development]
aws_access_key_id=foo
aws_access_key_id=bar

# In ~/.aws/config
[profile crossaccount]
role_arn=arn:aws:iam:...
source_profile=development

and then use "{{ lookup('aws_ssm', 'my-parameter', aws_profile='crossaccount'}}" to assume the role instead of needing this first setup task.

changed_when: false
register: assumed_role
- name: Lookup using STS credentials
debug: msg=" {{ lookup('aws_ssm', 'my-parameter', region='<region_name>', aws_access_key=access_key,
aws_secret_key=secret_key, aws_security_token=session_token )}} "
vars:
access_key: "{{ assumed_role.sts_creds.access_key }}"
secret_key: "{{ assumed_role.sts_creds.secret_key }}"
session_token: "{{ assumed_role.sts_creds.session_token }}"
'''

from ansible.module_utils._text import to_native
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.