Multiple AWS accounts and STS assume_role support

539 views
Skip to first unread message

Boris

unread,
Dec 22, 2014, 8:03:00 PM12/22/14
to ansible...@googlegroups.com
Hi,
Not sure if this question belongs here or on the ansible_development list, but let me start here.

Do Ansible AWS modules support STS.assume_role to obtain temporary credentials and use them to sign API requests for multiple accounts?

Use case:
* pre-condition: multiple AWS accounts have a role with trust relationship with instance hosting Ansible
* Invoke ec2, ec2_ami, rds, s3 or any other AWS cloud Ansible module targeting resources in multiple AWS accounts (using temporary credentials obtained from STS assume_role for each account)
For example, snapshot all the volumes for all the instances tagged with 'prod' in all of my AWS accounts (using trust relationships and not using a bunch of AWS credentials laying around file system)

with straight boto this would look something like this:
import boto
stsConn = boto.connect_sts()
for (account in accounts):
    role = stsConn.assume_role('arn:aws:iam::%s:role/MyRole' % account, 'mySession')
    ec2conn = boto.connect_ec2(aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token)
    #ec2conn.do_something()
    s3conn = boto.connect_s3(aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token)
    #s3conn.do_something()
    ## etc for other AWS resources

Basically, is it possible to insert "assume_role" before a module calls "connect", and do it for multiple accounts?

Thanks in advance,
-Boris


Boris

unread,
Dec 23, 2014, 11:19:05 AM12/23/14
to ansible...@googlegroups.com
Here is my "solution" at the moment. Hoping to find something more elegant...

  tasks:
  - shell: aws sts assume-role --role-arn "arn:aws:iam::XXXXXXXXXXXX:role/myRole" --role-session-name mySession
    register: role

  - set_fact:
      accessKeyId: "{{ (role.stdout | from_json).Credentials.AccessKeyId }}"
      secretAccessKey: "{{ (role.stdout | from_json).Credentials.SecretAccessKey }}"
      sessionToken: "{{ (role.stdout | from_json).Credentials.SessionToken }}"

  - ec2_tag: resource=i-XXXXXXXX region=us-west-1 state=present
    args:
      aws_access_key: "{{ accessKeyId }}"
      aws_secret_key: "{{ secretAccessKey }}"
      security_token: "{{ sessionToken }}"
      tags:
        Name: myInstanceName

Thoughts? Would it make sense to have a module doing this?

-Boris

Darvin Denmian

unread,
Jul 2, 2015, 4:54:15 PM7/2/15
to ansible...@googlegroups.com
Does somebody solved this?
Is the proposed solution given by Boris the only way to do that?

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/80093c01-9c0c-4b24-8376-f152e23d5164%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

linuxbsdfreak

unread,
Jul 3, 2015, 8:21:01 AM7/3/15
to ansible...@googlegroups.com
Hi,

I have a pull request for ec2.py to support multiple AWS accounts via STS. 


I have a readme with the steps to setup with STS.


Regards,
Kevin
Reply all
Reply to author
Forward
0 new messages