How to manage AWS resources by Ansible Without Access Keys and Secret Access Keys

[S Saravanan]

Hi All,

How can we manage AWS resources by Ansible without Access Keys and Secret Access Keys ?  

There is a requirement to use Ansible server to manage AWS, but should not use access and secret keys for security policy in the project.

We have to use only IAM role based access for this.  

Which IAM role can be used ? what are the policies need to attached with the role ?

Please give some suggestions.

Thank you in advance.

Regards,

Saravanan S

[Karl Auer]

It sounds as if you need to run ansible on an AWS instance, and create an instance policy for the instance. Read up on instance policies in the AWS doco.

The simplest instance policy is just a role that gives the instance AdministratorAccess, but depending on what you are planning to use Ansible to do, that may be overkill. You should avoid giving an instance too much power, just as you should avoid giving a user too much power.

The big advantage of using an instance policy is that software on the instance - like Ansible - can do anything the instance is allowed to do, without having to worry about IAM users, access keys or secrets of any kind (although you will need to be able to log into the instance to do stuff).

The other thing you can do is attach a limited instance policy first, and change it later - any change to the role will be effective almost immediately.

Regards, K.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0791a097-c8bf-457a-8ab7-ed307df1fc70%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Karl Auer

Email  : ka...@2pisoftware.com
Website: http://2pisoftware.com

GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816
Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA

[S Saravanan]

Thanks for your reply.

I will create role with limited policy and check it.

Even If we assign roles, how to write playbooks without access and secret access keys , keys in variable file or export ACCESS_KEYS......etc.

For below example, without keys variable, how ansible will communicate AWS API ? 

- name: create ec2 instance

   ec2:

    aws_access_key: "xxxxxxxxxxxx"                   <-----  without this line

    aws_secret_key: "xxxxxxxxxxxx"                     <----- without this line

    image: ami-abcdefghi

    wait: yes

    instance_type: t2.micro

    group_id: security_group.group_id

    region: us-east-2

    count_tag:

     Name: webserver

    exact_count: 1

   register: ec2

Regards,

Saravanan S

[Dick Visser]

On Wed, 2 Jan 2019 at 17:56, S Saravanan <sarav82...@gmail.com> wrote:

Thanks for your reply.

I will create role with limited policy and check it.

Even If we assign roles, how to write playbooks without access and secret access keys , keys in variable file or export ACCESS_KEYS......etc.

For below example, without keys variable, how ansible will communicate AWS API ? 

- name: create ec2 instance

   ec2:

    aws_access_key: "xxxxxxxxxxxx"                   <-----  without this line

    aws_secret_key: "xxxxxxxxxxxx"                     <----- without this line

    image: ami-abcdefghi

    wait: yes

    instance_type: t2.micro

    group_id: security_group.group_id

    region: us-east-2

    count_tag:

     Name: webserver

    exact_count: 1

   register: ec2

Those two options are mandatory for the module to work, you cannot just skip them.

AWS provides you with temporary credentials based that give access to the iam policy the machine is assigned. 

You should be able to retrieve those from the instance’s metadata:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials

When you have set up some (initially restricted, as Karl said) policy, I suggest using the ec2_metadata_facts module to find the temporary credentials:

https://docs.ansible.com/ansible/2.4/ec2_metadata_facts_module.html

Then simply refer to the appropriate keys in your ec2 task.

Dick

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c075f219-cdd5-4b2b-b576-12bbf05b37c9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Sent from a mobile device - please excuse the brevity, spelling and punctuation.

[Karl Auer]

If the tasks are being carried out on the Ansible server, then you just leave out the access keys and so on. If the tasks are being carried out on other hosts, then those hosts are the ones that will need AWS access, either via an instance policy or via access keys etc. And Ansible will need suitable credentials to access the hosts it is running the tasks on.

Regards, K.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAL8fbwM2UFhSZhYhFx3OA6F1jibD9YPw-KS5WvaDc0NS8huW5g%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Karl Auer]

I have used the ec2 module a LOT on a build host with an instance policy and have never had to include those two items. I simply omit them. The module still works fine.

So I think you CAN "just skip them"... as long as you have an appropriate instance policy. And (obviously) as long as Ansible is executing the module on the system with the instance policy!

Regards, K.

On Thu, Jan 3, 2019 at 3:35 PM Dick Visser <dick....@geant.org> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAL8fbwM2UFhSZhYhFx3OA6F1jibD9YPw-KS5WvaDc0NS8huW5g%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[S Saravanan]

Thank you Karl and Dick.