I am unable to make use of IAM roles in my Ansible playbooks.
Specifically, I have authorised an EC2 instance to get from an S3 bucket,
but I cannot work out how to make use of this authorisation from within
Ansible.
*The question*
How do I write Ansible task(s) that satisfies all the following :
1. Runs on an EC2 instance
2. Uses the IAM role defined on the EC2 instance to obtain authorisation
to access an S3 bucket
3. Gets a file from the S3 bucket
*A work around*
I can get the EC2 instance to download from S3, only by passing in my
credentials as follows:
- name: Download the part archive from S3
s3:
aws_access_key: "{{ lookup('env','aws_key') }}"
aws_secret_key: "{{ lookup('env','aws_secret') }}"
region: "{{ aws_packages_region }}"
bucket: "{{ aws_packages_bucket }}"
object: "/JI79IML/my_part_X86_64_c7.15.tar.gz"
dest: "/data/parts/JI79IML/my_part_X86_64_c7.15.tar.gz"
mode: get
overwrite: no
However, I would rather not send my AWS credentials to the instance.
Instead I have defined a role with the appropriate permissions to get
files from the S3 bucket.
*What I've tried*
The top answer in the stack overflow question linked below, suggests that
it is simple matter of leaving the secret access key parameters out, and
letting the Boto library take care of assuming the role.
- http://stackoverflow.com/questions/28997757/ansible-and-s3-module
However, when I try this with Ansible 1.8.4 and Boto 2.36.0 I get
msg: No handler was ready to authenticate. 1 handlers were checked. [
'HmacAuthV1Handler'] Check your credentials
and with Ansible 1.9.1 and Boto 2.38.0 I get:
msg: Failed to connect to S3: 'module' object has no attribute
'connect_to_region'
*How I've confirmed the IAM role*
To confirm that the IAM role is *sufficient*, I installed awscli on the EC2
instance and performed the download directly. First, I assumed the role
aws sts assume-role --role-arn "${ROLE_ARN}" --role-session-name
"GettingMyPart"
which returns an absolutely baffling error message that the user with the
assumed role cannot assume the role?!? But seems to do the trick, because
I can then download the part
aws s3api get-object --bucket "${BUCKET_NAME}" --key JI79IML/
my_part_X86_64_c7.15.tar.gz my_part_X86_64_c7.15.tar.gz
To confirm that the IAM role is *required*, I created another instance that
does not enjoy a role and installed awscli on this second EC2 instance and
followed the above steps. In each case, I got the message "Unable to
locate credentials" as expected
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/550cc437-c0b2-4999-8710-cf87e28f45e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
