Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lookup with STS #56551

wants to merge 2 commits into
base: devel
Changes from all commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.


Just for now

@@ -100,6 +100,24 @@
debug: msg='key contains {{item.Name}} with value {{item.Value}} '
loop: '{{ query("aws_ssm", "/TEST/test-list", region="ap-southeast-2", bypath=true) }}'
# Example using STS temporary credentials
- name: STS AssumeRole
role_arn: 'arn:aws:iam::<acc_id>:role/<role_name>'
role_session_name: "{{ aws_sts_session_name | default('ansible-session') }}"
region: '<region_name>'

This comment has been minimized.

Copy link

s-hertel May 29, 2019


In case people copy and paste this, either make '<region_name>' a variable or replace the string with a valid one. Below too. But I think creating temporary credentials for plugins/modules should be documented somewhere more central since this isn't specific to this plugin.

Also, since this plugin uses boto3 a nicer way to do this is use a profile in your config file (usually found at ~/.aws/config) that has a source profile and the role to assume. For example:

# In ~/.aws/credentials:

# In ~/.aws/config
[profile crossaccount]

and then use "{{ lookup('aws_ssm', 'my-parameter', aws_profile='crossaccount'}}" to assume the role instead of needing this first setup task.

changed_when: false
register: assumed_role
- name: Lookup using STS credentials
debug: msg=" {{ lookup('aws_ssm', 'my-parameter', region='<region_name>', aws_access_key=access_key,
aws_secret_key=secret_key, aws_security_token=session_token )}} "
access_key: "{{ assumed_role.sts_creds.access_key }}"
secret_key: "{{ assumed_role.sts_creds.secret_key }}"
session_token: "{{ assumed_role.sts_creds.session_token }}"

from ansible.module_utils._text import to_native
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.