mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
[cloud][contrib] IAM role support for EC2 dynamic inventory (#15196)
* EC2 inventory can now connect using an IAM role * Fix comment indentation * Make sure that Ec2Inventory.iam_role is always defined * Add missing import
This commit is contained in:
parent
3585d3d368
commit
6804d69557
2 changed files with 19 additions and 0 deletions
|
@ -179,6 +179,11 @@ stack_filters = False
|
|||
# (ex. webservers15, webservers1a, webservers123 etc)
|
||||
# instance_filters = tag:Name=webservers1*
|
||||
|
||||
# An IAM role can be assumed, so all requests are run as that role.
|
||||
# This can be useful for connecting across different accounts, or to limit user
|
||||
# access
|
||||
# iam_role = role-arn
|
||||
|
||||
# A boto configuration profile may be used to separate out credentials
|
||||
# see http://boto.readthedocs.org/en/latest/boto_config_tut.html
|
||||
# boto_profile = some-boto-profile-name
|
||||
|
|
|
@ -132,6 +132,7 @@ from boto import ec2
|
|||
from boto import rds
|
||||
from boto import elasticache
|
||||
from boto import route53
|
||||
from boto import sts
|
||||
import six
|
||||
|
||||
from ansible.module_utils import ec2 as ec2_utils
|
||||
|
@ -421,6 +422,12 @@ class Ec2Inventory(object):
|
|||
else:
|
||||
self.replace_dash_in_groups = True
|
||||
|
||||
# IAM role to assume for connection
|
||||
if config.has_option('ec2', 'iam_role'):
|
||||
self.iam_role = config.get('ec2', 'iam_role')
|
||||
else:
|
||||
self.iam_role = None
|
||||
|
||||
# Configure which groups should be created.
|
||||
group_by_options = [
|
||||
'group_by_instance_id',
|
||||
|
@ -548,6 +555,13 @@ class Ec2Inventory(object):
|
|||
connect_args['profile_name'] = self.boto_profile
|
||||
self.boto_fix_security_token_in_profile(connect_args)
|
||||
|
||||
if self.iam_role:
|
||||
sts_conn = sts.connect_to_region(region, **connect_args)
|
||||
role = sts_conn.assume_role(self.iam_role, 'ansible_dynamic_inventory')
|
||||
connect_args['aws_access_key_id'] = role.credentials.access_key
|
||||
connect_args['aws_secret_access_key'] = role.credentials.secret_key
|
||||
connect_args['security_token'] = role.credentials.session_token
|
||||
|
||||
conn = module.connect_to_region(region, **connect_args)
|
||||
# connect_to_region will fail "silently" by returning None if the region name is wrong or not supported
|
||||
if conn is None:
|
||||
|
|
Loading…
Reference in a new issue