ansible ec2.py discovery with assume_role & MFA
311 views
Skip to first unread message
matthie...@gmail.com
Sep 22, 2016, 12:37:37 PM9/22/16
to Ansible Project
Hi
Before using Ansible with some roles I prepared, I wanted to check the ec2.py autodiscovery script. However, all the accounts I have setup on AWS need to login to a first account which uses MFA & then assume a role before being able to do something.
It appears that I cannot make it work, even if I have created the right ~/.aws/config & ~/.aws/credentials files.
ec2.py just seems missing to assume_role, read MFA & ask the token....
I have found a fork of ec2.py for the assume_role part, but I am still missing the MFA part.
Does someone have the solution?
Thanks in advance.
Arbab Nazar
Sep 23, 2016, 8:41:41 AM9/23/16
to Ansible Project
I think you are looking this thing:
#!/bin/bash
# Requirement:
# - awscli
# - jq
#
# It assumes that you have exported the "AWS_MFA_ARN" in your environment:
#
# export AWS_MFA_ARN="arn:aws:iam::XXXXXXXXXXX:mfa/ar...@tendo.org"
#
# Then you can execute it like this:
#
# . ./assume-role prod 123456
#
# Where "123456" is the current MFA token.
# After that we can perform all the operations in the same way like we are currently performing with IAM user credentials. e.g:
#
# You can list the available roles by running "list_roles". Additionally, the
# available roles can be tab-completed in the "assume_role" command.
#
# You can alter the AWS profile this script uses by setting the ASSUME_ROLE_PROFILE environment variable.
#
# ./ec2.py --list
AWS_ACCOUNTS=(prod sandbox tools)
assume_role () {
AWS_ACCOUNT=$1
MFA_TOKEN=$2
if [[ -n "${ASSUMED_ROLE}" ]]; then
echo "You have currently assumed ${ASSUMED_ROLE} unassuming and proceeding with your assume."
unassume_role
fi
case "$AWS_ACCOUNT" in
"prod") ROLE_ARN="arn:aws:iam::708756755355:role/tendo-$AWS_ACCOUNT-admin"
;;
"sandbox") ROLE_ARN="arn:aws:iam::372153017832:role/tendo-$AWS_ACCOUNT-admin"
;;
"tools") ROLE_ARN="arn:aws:iam::257477529851:role/tendo-$AWS_ACCOUNT-admin"
;;
*) echo "Unknown account name, assuming this is a ROLE_ARN" >&2
ROLE_ARN=$AWS_ACCOUNT
;;
esac
unset AWS_SECURITY_TOKEN
if [ -z "$AWS_ACCOUNT" ] || [ -z "$MFA_TOKEN" ]
then
echo "An AWS role name and MFA_TOKEN must be specified"
echo "example: . ./assume-role.sh account-name mfa-token"
return 1;
else
if [ -z "$AWS_MFA_ARN" ]
then
echo "An AWS_MFA_ARN must be exported as environment variable"
echo "example: export AWS_MFA_ARN="arn:aws:iam::XXXXXXXXXXX:mfa/arbab@tendo.org""
return 1;
fi
SESSION_NAME="$(date +"%s")_$USER@$(hostname)"
if [ -n "$ASSUME_ROLE_PROFILE" ]; then
PROFILE="--profile=$ASSUME_ROLE_PROFILE"
fi
if RESULT=$(aws $PROFILE sts assume-role --role-arn "$ROLE_ARN" --role-session-name ${SESSION_NAME:0:32} --token-code $MFA_TOKEN --serial-number $AWS_MFA_ARN)
then
export ASSUMED_ROLE=$ROLE_ARN
export AWS_ACCESS_KEY_ID=$(echo $RESULT | jq --raw-output .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo $RESULT | jq --raw-output .Credentials.SecretAccessKey)
export AWS_SECURITY_TOKEN=$(echo $RESULT | jq --raw-output .Credentials.SessionToken)
export AWS_SESSION_TOKEN=${AWS_SECURITY_TOKEN}
echo "Successfully assumed role $ROLE_ARN" >&2
else
echo "Failed to assume role" >&2
return 1;
fi
fi
}
unassume_role () {
if [[ -z "${ASSUMED_ROLE}" ]]; then
echo "Not currently assuming any role."
else
echo "Unassuming role: ${ASSUMED_ROLE}"
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SECURITY_TOKEN
unset AWS_SESSION_TOKEN
unset ASSUMED_ROLE
fi
}
list_roles () {
for a in "${AWS_ACCOUNTS[@]}"; do
echo $a
done
}
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
echo "${BASH_SOURCE[0]} should be sourced, not run. please run:";
echo ". ${BASH_SOURCE[0]}";
echo "I'm not going to set any variables";
exit 1;
elif [[ -n "${1}" || -n "${2}" ]]; then
echo "Sourcing ${BASH_SOURCE[0]} directly."
unassume_role
assume_role ${1} ${2}
else
#assume_role function added to the enviroment
complete -W "${AWS_ACCOUNTS[*]}" assume_role
fi
Reply all
Reply to author
Forward
0 new messages