This Ansible role allows a user to assume a given role, generating temporary security credentials that can be used to assume the role.
- Python 2.7
- PIP package manager (easy_install pip)
- Ansible 2.4 or greater (pip install ansible)
- AWS CLI (pip install awscli)
The recommended approach to use this role is an Ansible Galaxy requirement to your Ansible playbook project.
To set this role up as an Ansible Galaxy requirement, first create a requirements.yml
file in a subfolder called roles
and add an entry for this role. Check the Ansible Galaxy documentation
Note that you can add custom plugin into 'filter_plugin' dir
# Example requirements.yml file
- src: https://github.com/calshankar/Ansible-aws-sts-role.git
scm: git
name: sts
Once you have created roles/requirements.yml
, you can install the role using the ansible-galaxy
command line tool.
$ ansible-galaxy install --role-file=roles/<rolesfile>.yml --roles-path=<path to roles dir> --force
Ideally this should create a directory 'sts' under roles parent directory, unless you wish to change the --roles-path
The STS role relies on the following inputs:
-
Sts.Role
is Mandatory all other input parameter can be optionally fed from Vars folder -
AWS credentials - you must configure the environment such that your credentials are available to assume the role.
Important
- The vars file must adhere to yml format, else you will get error. Please use the debug option along with pause to check the variable output. Following is my sample vars under group_vars folder. Don't forget the 3 dashes to mark the file as yml
---
# Staging Environment
# Admin Role used for the CF stack. All variable in yml format only
Sts:
Role: arn:aws:iam::1111111112120:role/AdminAccessforDeploy
Sts.Credentials.AWS_DEFAULT_REGION
Sts.Credentials.ACCESS_KEY
Sts.Credentials.ACCESS_KEY_ID
Sts.Credentials.AWS_SECRET_KEY
Sts.Credentials.AWS_SECRET_ACCESS_KEY
Sts.Credentials.AWS_SECURITY_TOKEN
Actual fact output for Sts variable should look like
"ansible_facts": {
"Sts": {
"Credentials": {
"AWS_ACCESS_KEY": "AAAAAAAAAAAAAAAAA",
"AWS_ACCESS_KEY_ID": "XXXXXXXXXXXXXX",
"AWS_DEFAULT_REGION": "us-east-1",
"AWS_SECRET_ACCESS_KEY": "YOUJFGokdsdsdsdsweeeCL2SWb5JtSTDOats",
"AWS_SECRET_KEY": "YOUJFGokdsdsdsdsweeeCL2SWb5JtSTDOats",
"AWS_SECURITY_TOKEN": "FQoDYXdzEBcaDOhIym794RCGWraqLyLwAVbpvRcHaTeL0R5CnlFr6nZu5sfXnHonnfuE4ZM+rtrtjjkjethNuBir7G5z5qot/XNl/QqLUgNfyuPSjHa1OW3wvB+GXC2tWzWc50Uh6//kSRN1SqbbXGgwBhoMGgz6M5Rp7QTtVmgaic9Ka8YvpXunkbqw6vrFeOSHyk/nS+0F5OlVVA18oj0tDp6K8gu7XZNEK+OV1TuwuH9dCKwPab5Avqc/Q9LeGQ69CC3T1xXL/JaH0QLnQFLNIBGu2oiUBZCdDhCyN5uO1kWUxVJlrLn2IB0FgdKmjrdVv95ewU9oyrT+/UsiZ6QjKQiiO393SBQ=="
},
"Region": "us-east-1",
"Role": "arn:aws:iam::1111111112120:role/AdminAccessforDeploy"
}
}