sts_session_token:
duration_seconds: "{{ sts_session_duration | default(3600) }}"
# Support role policy with mandatory MFA
mfa_serial_number: "{{ sts_mfa_serial_number | default(omit) }}"
mfa_token: "{{ sts_mfa_token | default(omit) }}"
register: sts_session_token
when: with_sts
tags:
rxgt-ps-identity-stack-deploy
- name: retrieve sts credentials
set_fact:
sts_access_key: "{{ sts_session_token.sts_creds.access_key }}"
sts_secret_key: "{{ sts_session_token.sts_creds.secret_key }}"
sts_session_token: "{{ sts_session_token.sts_creds.session_token }}"
when: with_sts
tags:
rxgt-ps-identity-stack-deploy
- name: debug role arns
debug:
msg: "Assuming role: {{ account_config.sts_role_arn }}"
verbosity: 1
loop: "{{ rxgt_identity_account['deploy_accounts']|map('extract', rxgt_identity_account['account_config'])|list }}"
loop_control:
loop_var: account_config
label: "{{ account_config.sts_role_arn }}"
tags:
rxgt-ps-identity-stack-deploy
- name: assume cross account roles
sts_assume_role:
role_arn: "{{ account_config.sts_role_arn }}"
role_session_name: "ansibledeploy"
duration_seconds: "{{ sts_session_duration | default(3600) }}"
# Use STS temporary creds or fallback to aws cli/boto creds - see readme.md
aws_access_key: "{{ sts_access_key | default(omit) }}"
aws_secret_key: "{{ sts_secret_key | default(omit) }}"
security_token: "{{ sts_session_token | default(omit) }}"
# Support role policy with mandatory MFA
mfa_serial_number: "{{ sts_mfa_serial_number | default(omit) }}"
mfa_token: "{{ sts_mfa_token | default(omit) }}"
loop: "{{ rxgt_identity_account['deploy_accounts']|map('extract', rxgt_identity_account['account_config'])|list }}"
loop_control:
loop_var: account_config
label: "{{ account_config.sts_role_arn }}"
register: assumed_roles_with_account_config
tags:
rxgt-ps-identity-stack-deploy
- name: create rxgt-ps-cross-account-iam-atlas-developer-roles changeset
cloudformation:
stack_name: "rxgt-ps-cross-account-iam-atlas-developer-roles"