AWS credentials not working with cross account role
239 views
Skip to first unread message
Craig Wilson
Feb 20, 2018, 5:08:27 AM2/20/18
to Ansible Project
Hello
I know that the profile name is being correctly as this is shown in the verbose output
and I know that the credentials file works because if I replace the role and the source_profile with aws_access_key and aws_secret_access_key it works.
I've been trying to get my team at work to adopt better credential management but I'm struggling to get ansible working with the aws cli credentials file. My credentials file seems to work just fine with aws cli and directly using boto in a python script but not in ansible. My file is setup as below
# credentials[default]aws_access_key_id=PARENTKEYaws_secret_access_key=PARENTSECRETKEY
[childprofile]role_arn=arn:aws:iam::########:role/groupnamesource_profile=defaultbut when I execute the playbook I just get
"msg": "Profile given for AWS was not found. Please fix and retry."<localhost> EXEC /bin/sh -c 'AWS_PROFILE=childprofile /usr/bin/python /home/user/.ansible/tmp/ansible-tmp-1519121014.43-259509127929346/ec2_vpc_net.py; rm -rf "/home/user/.ansible/tmp/ansible-tmp-1519121014.43-259509127929346/" > /dev/null 2>&1 && sleep 0'and I know that the credentials file works because if I replace the role and the source_profile with aws_access_key and aws_secret_access_key it works.
I've been looking at this for a few days and can't figure it out.
Craig Wilson
Feb 20, 2018, 6:06:29 AM2/20/18
to Ansible Project
I have managed to get it working by setting the assume role values for ansible modules and then setting the AWS_PROFILE env variable for the shell commands, at least it seems to work fine.
Credentials file:
# credentials
[default]
region=us-west-2
aws_access_key_id=PARENTACCOUNTKEY
aws_secret_access_key=PARENTSECRETKEY
[childprofile]
role_arn=arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME
source_profile=default
Playbook:
pre_tasks:
- sts_assume_role:
role_arn: "arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME"
role_session_name: "someRoleSession"
region: 'eu-west-1'
profile: "default"
register: assumed_role
environment:
AWS_ACCESS_KEY: "{{ assumed_role.sts_creds.access_key }}"
AWS_SECRET_KEY: "{{ assumed_role.sts_creds.secret_key }}"
AWS_SECURITY_TOKEN: "{{ assumed_role.sts_creds.session_token }}"
AWS_PROFILE: 'childprofile'
AWS_DEFAULT_REGION: '{{ aws_region }}'Reply all
Reply to author
Forward
0 new messages