Question regarding aws_sts_assumerole

18 views
Skip to first unread message

Des Sindatry

unread,
Jul 15, 2020, 10:44:45 PM7/15/20
to Ansible Development
Hello,

I am using ansible to launch ec2 instances . As part of that using ADFS SAML integration. 

#### Playbook 

---
- name: Ansible test
  hosts: localhost

  tasks:
  - name:
    sts_assume_role:
      role_arn: "arn:aws:sts::925052198153:assumed-role/DBAAdmin"
      role_session_name: "default"
    register: assumed_role

  - ec2_instance:
      instance_type: t2.large
      key_name: comdpl_test
      image: ami-07527564b23c84506
      region: us-east-1
      group: ci360-stage-us-east-1-cloudera-main-sg
      count: 1
      vpc_subnet_id: vpc-cf5347b7
      wait: yes
      assign_public_ip: yes
      aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
      aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
      security_token: "{{ assumed_role.sts_creds.session_token }}"
      volumes:
        - device_name: /dev/sdb
          volume_type: gp2
          volume_size: 10
          delete_on_termination: true


#####
I get this error. Can someone please guide me 

ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::925052198153:assumed-role/DBAAdmin/Desmond....@sas.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:sts::925052198153:assumed-role/DBAAdmin

[desind@adffddfd~]$ aws sts get-caller-identity
{
    "Account": "925052198153",
    "Arn": "arn:aws:sts::925052198153:assumed-role/DBAAdmin/Desmond....@sas.com"
}
[desind@comdpmactl01 ~]$

Message has been deleted

Des Sindatry

unread,
Jul 16, 2020, 9:11:01 AM7/16/20
to Ansible Development
Can anyone throw some light on this ? 

How is ansible going to know my temporary credentials. 

ameya agashe

unread,
Jul 19, 2020, 10:07:39 PM7/19/20
to Des Sindatry, Ansible Development
The fundamental issue is about permission, not ansible issue. The assume role does not have appropriate permissions.

Thanks and Regards,
Ameya Agashe


On Thu, Jul 16, 2020 at 11:11 PM Des Sindatry <dsin...@gmail.com> wrote:
Can anyone throw some light on this ? 

How is ansible going to know my temporary credentials. 

--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-deve...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/a4dc312e-ec5b-4364-8cc2-f95a9a5c8ac2o%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages