2

Apparently the AWS Access Key and Secret Key are optional parameters for the AWS Cloud Modules, however the places where the ansible would pick up those values are from Environment variables.

Can we completely remove the Access Keys business by using the EC2 instance with IAM Role for Ansible to communicate with AWS.

Naveen Vijay
  • 390
  • 6
  • 18

1 Answers1

2

Yes. I've removed my access/secret keys across Ansible and use IAM roles. Note you'll need some role permissions on the "server" and others on the destination boxes.

tedder42
  • 833
  • 1
  • 9
  • 19
  • 1
    It's worth clarifying that IAM roles are useful for things like CI servers that will be running ec2 module tasks such as creating machines. You allow the machines launched with that IAM role (e.g. Jenkins) to perform those actions, avoiding the need for having keys locally. If you're away on your laptop and want to run the same commands,you still need the keys in your env variables or boto config. – xddsg May 21 '15 at 14:37
  • Could you clarify how your solutions works? From what I see, ansible (with boto) does not pick up IAM roles on its own. – M. Glatki Dec 07 '16 at 09:33
  • ansible uses the IAM role of the machine it is running on. If you are running it locally (eg not on an EC2 box) it respects the `~/.aws/` configuration. I haven't started using the IAM roles that can be attached to a cloudformation stack but I intend to do so. @M.Glatki – tedder42 Dec 07 '16 at 17:01