Can I use IAM Roles for Ansible

Question

Apparently the AWS Access Key and Secret Key are optional parameters for the AWS Cloud Modules, however the places where the ansible would pick up those values are from Environment variables.

Can we completely remove the Access Keys business by using the EC2 instance with IAM Role for Ansible to communicate with AWS.

I think it should work. Ansible uses boto, and boto will work from instances deployed in IAM roles. — Garreth McDaid, May 14 '15 at 15:31

score 2 · Accepted Answer · answered May 14 '15 at 18:15

2

Yes. I've removed my access/secret keys across Ansible and use IAM roles. Note you'll need some role permissions on the "server" and others on the destination boxes.

answered May 14 '15 at 18:15

tedder42

833
1
9
19

1

It's worth clarifying that IAM roles are useful for things like CI servers that will be running ec2 module tasks such as creating machines. You allow the machines launched with that IAM role (e.g. Jenkins) to perform those actions, avoiding the need for having keys locally. If you're away on your laptop and want to run the same commands,you still need the keys in your env variables or boto config. – xddsg May 21 '15 at 14:37
Could you clarify how your solutions works? From what I see, ansible (with boto) does not pick up IAM roles on its own. – M. Glatki Dec 07 '16 at 09:33
ansible uses the IAM role of the machine it is running on. If you are running it locally (eg not on an EC2 box) it respects the `~/.aws/` configuration. I haven't started using the IAM roles that can be attached to a cloudformation stack but I intend to do so. @M.Glatki – tedder42 Dec 07 '16 at 17:01

Can I use IAM Roles for Ansible

1 Answers1

Linked