ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

[cloud][contrib] IAM role support for EC2 dynamic inventory (#15196)

Browse source 
* EC2 inventory can now connect using an IAM role

* Fix comment indentation

* Make sure that Ec2Inventory.iam_role is always defined

* Add missing import
This commit is contained in:
Rune T. Sorensen 2017-03-20 22:19:40 +01:00 committed by Ryan Brown
parent 3585d3d368
commit 6804d69557
2 changed files with 19 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
contrib/inventory/ec2.ini
View file

@ -179,6 +179,11 @@ stack_filters = False
# (ex. webservers15, webservers1a, webservers123 etc) # (ex. webservers15, webservers1a, webservers123 etc)
# instance_filters = tag:Name=webservers1* # instance_filters = tag:Name=webservers1*
# An IAM role can be assumed, so all requests are run as that role.
# This can be useful for connecting across different accounts, or to limit user
# access
# iam_role = role-arn
# A boto configuration profile may be used to separate out credentials # A boto configuration profile may be used to separate out credentials
# see http://boto.readthedocs.org/en/latest/boto_config_tut.html # see http://boto.readthedocs.org/en/latest/boto_config_tut.html
# boto_profile = some-boto-profile-name # boto_profile = some-boto-profile-name

14
contrib/inventory/ec2.py
View file

@ -132,6 +132,7 @@ from boto import ec2
from boto import rds from boto import rds
from boto import elasticache from boto import elasticache
from boto import route53 from boto import route53
from boto import sts
import six import six
from ansible.module_utils import ec2 as ec2_utils from ansible.module_utils import ec2 as ec2_utils
@ -421,6 +422,12 @@ class Ec2Inventory(object):
else: else:
self.replace_dash_in_groups = True self.replace_dash_in_groups = True
# IAM role to assume for connection
if config.has_option('ec2', 'iam_role'):
self.iam_role = config.get('ec2', 'iam_role')
else:
self.iam_role = None
# Configure which groups should be created. # Configure which groups should be created.
group_by_options = [ group_by_options = [
'group_by_instance_id', 'group_by_instance_id',
@ -548,6 +555,13 @@ class Ec2Inventory(object):
connect_args['profile_name'] = self.boto_profile connect_args['profile_name'] = self.boto_profile
self.boto_fix_security_token_in_profile(connect_args) self.boto_fix_security_token_in_profile(connect_args)
if self.iam_role:
sts_conn = sts.connect_to_region(region, **connect_args)
role = sts_conn.assume_role(self.iam_role, 'ansible_dynamic_inventory')
connect_args['aws_access_key_id'] = role.credentials.access_key
connect_args['aws_secret_access_key'] = role.credentials.secret_key
connect_args['security_token'] = role.credentials.session_token
conn = module.connect_to_region(region, **connect_args) conn = module.connect_to_region(region, **connect_args)
# connect_to_region will fail "silently" by returning None if the region name is wrong or not supported # connect_to_region will fail "silently" by returning None if the region name is wrong or not supported
if conn is None: if conn is None: