Le vendredi 24 juillet 2020 12:42:34 UTC-7, Stefan Hornburg (Racke) a
écrit :
>
> On 7/24/20 7:44 PM, Nico H wrote:
> > not sure if that needs new topic but I see that other AWS modules also
> fail to pickup variables in Environment as they
> > should .
> >
>
> You are sure these environment variables are lowercase? Usually they are
> uppercase, like AWS_ACCESS_KEY.
>
> Ansible just passes them along as you see in your output.
>
> Regards
> Racke
>
>
yes you r right, in uppercase it then works better with the "block /
import_role / environment " structure .
Thank you
> > Example is rds_instance_facts
> >
> > again, I set up the sts credentials in environment block, and then the
> module doesn't use them ,why is that ?
> >
> >
> > |
> > Saisissezle code ici...
> > # playbook.yml
> >
> > pre_tasks:
> > |
> > - name: Assume teardown devel stack role
> > sts_assume_role:
> > role_arn: "arn:aws:iam:::role/role"
> > role_session_name: "session"
> > region: "{{ region }}"
> > register: assumed_role
> > # no_log: false
> >
> > - name: import roles
> > block:
> > - import_role:
> > name: test2
> > when: cf_region is defined
> > environment:
> > aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
> > aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
> > security_token: "{{ assumed_role.sts_creds.session_token }}
> >
> > # test2.yml
> > - name: Get rds facts
> > rds_instance_facts:
> > # command: facts
> > db_instance_identifier: "{{ cf_stack_name }}"
> > region: "{{ cf_region }}"
> > register: rds
> >
> > in the exec I see the temporary keys:
> >
> > EXEC /bin/sh -c
> 'aws_secret_key=cHAyHECUKdRXeMNELOADIjPKRwdYfJR/BIY8nVMZ
> aws_access_key=ASIA3K27TU7xxxxxxxxxxxx
> >
> security_token=FwoGZXIvYXdzEOv//////////wEaDBTRsHoNaa4W+L0bkiK+ASTwafNPh9h+q2E6IqgZAR/MjX4eDpo/Vh2zLfFX+D/XHH/B1fCcLUaGp+6AXc0H/wqJG58dt9SQP5Dym1iLq3Xzn3rVwmEc9U+0Q3PcdbczO4qwJS/A2mr1lnZ03HV+PsT0lFbActJJ65VHcNvVCqy4sSvRd+ykeBgkkiM6L35icm8eTr5RJdnTMb2tmcHogNXteaXbaag1AjABC/114coEMspTOCPjexiPtic3io67lQvIJPK9L3gqKsMMn4Ioq7js+AUyLer/WPTStS/PBgsU8WsLrlxd/iuaU4qGgquy4+6vY5H/X7vEaSMyT/8OKo6MVg==
>
>
> >
> >
> > but the module doesn't care and bail with :
> > ClientError: An error occurred (AccessDenied) when calling the
> DescribeDBInstances operation: User:
> > arn:aws:iam:::user/myuser is not authorized to perform:
> rds:DescribeDBInstances on resource
> >
> >
> > I am losing hope in ansible :(
> > What is the point of having a global environment if each and single AWS
> module requires a set of local credentials ?
> > please help me understand the logic here,
> > cheers
> >
> >
> > Le lundi 10 avril 2017 00:40:30 UTC-7, Rob White a écrit :
> >
> > Hi all,
> >
> > I'm looking for any suggestions on how to work around the following
> issue:
> >
> > I am trying to use a lookup plugin but it is ignoring my environment
> variables.
> >
> > The lookup plugin I am trying to use is credstash and the
> environment variables are being set because I am using AWS
> > STS to assume a role.
> >
> > It looks a little like this:
> >
> > |
> >
> > ---
> > - name: Get STS token
> > hosts: "{{ hosts }}"
> > connection: local
> > tasks:
> > - name: Assume role for passed account
> > sts_assume_role:
> > region: "{{ aws_region }}"
> > role_arn: "arn:aws:iam::{{ aws_account_id
> }}:role/ansible-is_assumed"
> > role_session_name: ansible_assumed_role
> > register: assumed_role
> > when: use_sts
> >
> > - name: Set environment with AWS creds when available
> > set_fact:
> > my_environment:
> > AWS_ACCESS_KEY_ID: "{{ assumed_role.sts_creds.access_key }}"
> > AWS_SECRET_ACCESS_KEY: "{{ assumed_role.sts_creds.secret_key }}"
> > AWS_SECURITY_TOKEN: "{{ assumed_role.sts_creds.session_token }}"
> > when: assumed_role.skipped is not defined
> >
> > - name: Set environment blank when no AWS creds
> > set_fact:
> > my_environment: {}
> > when: assumed_role.skipped is defined
> >
> > - name: Deploy infrastructure role
> > hosts: "{{ hosts }}"
> > connection: local
> > roles:
> > - "{{ role_to_deploy }}"
> > environment: "{{ my_environment }}"
> >
> > |
> >
> >
> > Now in the role_to_deploy i have lots of tasks that work brilliantly
> calling out to AWS using the STS credentials
> > supplied as intended.
> >
> > Unfortunately, any lookup plugins do not work properly because they
> do not use the environment variables I have set.
> > They end up calling out to AWS using the default credentials rather
> than being overridden by the STS creds.
> >
> > I don't think this is a bug but it is never the less annoying.
> >
> > I'm hoping maybe one of the core team can think of a way I can get
> the lookup plugin to 'see' my STS environment
> > variables I have set.
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to
> > ansible...@googlegroups.com <javascript:> <mailto:
> ansible-project+unsubscr...@googlegroups.com <javascript:>>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/ansible-project/c38b32ad-0f8a-46c3-aa06-d1e429c0f1cbo%40googlegroups.com
>
> > <
> https://groups.google.com/d/msgid/ansible-project/c38b32ad-0f8a-46c3-aa06-d1e429c0f1cbo%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
>
>
>
> --
> Ecommerce and Linux consulting + Perl and web application programming.
> Debian and Sympa administration. Provisioning with Ansible.
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/6ba98918-d4b6-4722-bae1-aeb9bc8f421do%40googlegroups.com.
