Thank you Karl and Dick.
On Thursday, January 3, 2019 at 5:32:29 PM UTC+5:30, Karl Auer wrote: > > I have used the ec2 module a LOT on a build host with an instance policy > and have never had to include those two items. I simply omit them. The > module still works fine. > > So I think you CAN "just skip them"... as long as you have an appropriate > instance policy. And (obviously) as long as Ansible is executing the module > on the system with the instance policy! > > Regards, K. > > > On Thu, Jan 3, 2019 at 3:35 PM Dick Visser <dick....@geant.org > <javascript:>> wrote: > >> >> >> On Wed, 2 Jan 2019 at 17:56, S Saravanan <sarav82...@gmail.com >> <javascript:>> wrote: >> >>> Thanks for your reply. >>> >>> I will create role with limited policy and check it. >>> >>> Even If we assign roles, how to write playbooks without access and >>> secret access keys , keys in variable file or export ACCESS_KEYS......etc. >>> >>> For below example, without keys variable, how ansible will communicate >>> AWS API ? >>> >>> - name: create ec2 instance >>> ec2: >>> aws_access_key: "xxxxxxxxxxxx" <----- without >>> this line >>> aws_secret_key: "xxxxxxxxxxxx" <----- without >>> this line >>> image: ami-abcdefghi >>> wait: yes >>> instance_type: t2.micro >>> group_id: security_group.group_id >>> region: us-east-2 >>> count_tag: >>> Name: webserver >>> exact_count: 1 >>> register: ec2 >>> >> >> Those two options are mandatory for the module to work, you cannot just >> skip them. >> AWS provides you with temporary credentials based that give access to the >> iam policy the machine is assigned. >> You should be able to retrieve those from the instance’s metadata: >> >> >> https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials >> >> When you have set up some (initially restricted, as Karl said) policy, I >> suggest using the ec2_metadata_facts module to find the temporary >> credentials: >> >> https://docs.ansible.com/ansible/2.4/ec2_metadata_facts_module.html >> >> Then simply refer to the appropriate keys in your ec2 task. >> >> Dick >> >> >> >> Regards, >>> Saravanan S >>> >>> On Wednesday, January 2, 2019 at 5:10:21 PM UTC+5:30, Karl Auer wrote: >>>> >>>> It sounds as if you need to run ansible on an AWS instance, and create >>>> an instance policy for the instance. Read up on instance policies in the >>>> AWS doco. >>>> >>>> The simplest instance policy is just a role that gives the instance >>>> AdministratorAccess, but depending on what you are planning to use Ansible >>>> to do, that may be overkill. You should avoid giving an instance too much >>>> power, just as you should avoid giving a user too much power. >>>> >>>> The big advantage of using an instance policy is that software on the >>>> instance - like Ansible - can do anything the instance is allowed to do, >>>> without having to worry about IAM users, access keys or secrets of any >>>> kind >>>> (although you will need to be able to log into the instance to do stuff). >>>> >>>> The other thing you can do is attach a limited instance policy first, >>>> and change it later - any change to the role will be effective almost >>>> immediately. >>>> >>>> Regards, K. >>>> >>>> On Wed, Jan 2, 2019 at 10:13 PM S Saravanan <sarav82...@gmail.com> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> How can we manage AWS resources by Ansible without Access Keys and >>>>> Secret Access Keys ? >>>>> There is a requirement to use Ansible server to manage AWS, but should >>>>> not use access and secret keys for security policy in the project. >>>>> We have to use only IAM role based access for this. >>>>> Which IAM role can be used ? what are the policies need to attached >>>>> with the role ? >>>>> >>>>> Please give some suggestions. >>>>> >>>>> Thank you in advance. >>>>> >>>>> Regards, >>>>> Saravanan S >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ansible-proje...@googlegroups.com. >>>>> To post to this group, send email to ansible...@googlegroups.com. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/0791a097-c8bf-457a-8ab7-ed307df1fc70%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/ansible-project/0791a097-c8bf-457a-8ab7-ed307df1fc70%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>>> -- >>>> Karl Auer >>>> >>>> Email : ka...@2pisoftware.com >>>> Website: http://2pisoftware.com >>>> >>>> GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816 >>>> Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ansible-proje...@googlegroups.com <javascript:>. >>> To post to this group, send email to ansible...@googlegroups.com >>> <javascript:>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/c075f219-cdd5-4b2b-b576-12bbf05b37c9%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/ansible-project/c075f219-cdd5-4b2b-b576-12bbf05b37c9%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> Sent from a mobile device - please excuse the brevity, spelling and >> punctuation. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-proje...@googlegroups.com <javascript:>. >> To post to this group, send email to ansible...@googlegroups.com >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CAL8fbwM2UFhSZhYhFx3OA6F1jibD9YPw-KS5WvaDc0NS8huW5g%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/ansible-project/CAL8fbwM2UFhSZhYhFx3OA6F1jibD9YPw-KS5WvaDc0NS8huW5g%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > -- > Karl Auer > > Email : ka...@2pisoftware.com <javascript:> > Website: http://2pisoftware.com > > GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816 > Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/efac179a-3baf-49e6-be81-308e3939b9f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
