3

I'm looking at setting up a deploy server within our VPC and am trying to use an IAM role instead of keys for Ansibles dynamic ec2.py inventory script.

An answer at Can I use IAM Roles for Ansible says it is possible, however it does not indicate what permission are required.

I'm wondering if someone is able to provide some more details on what permissions are needed to be able to generate a dynamic inventory.

Edit: I've reviewed the docs and I think part of the solution is figuring out what permissions botos get_all_instances() needs.

Community
  • 1
hafichuk
  • 762
  • 2
  • 5
  • 18

2 Answers2

3

Assuming the only inventory you want are EC2 based resources, then allowing the "ec2:Describe*" actions should be sufficient:

"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"

See Allow users to list the Amazon EC2 resources that belong to the AWS account

Rodrigo Murillo
  • 450
  • 3
  • 10
0
  1. Log in to the AWS management console. Go to Identity & Access Management/Roles/Create New Role
  2. Give your role a name, for example ansible because the instance with this role will run Ansible.
  3. Under AWS Service Roles select Amazon EC2
  4. Select Power User Access you will have a policy name and a policy document, one JSON string like this:
   {
        "Version": "20XX-XX-XX",
        "Statement": [
            {
                "Effect": "Allow",
                "NotAction": "iam:*",
                "Resource": "*"
            }
        ]
    }
  1. Next Step/Create Role
  2. You will have an instance profile with the same name that you give to your role, and the role will be associated to the instance profile. Now, when you create the new instance for Ansible deploy, you will give this instance profile to the instance, and this instance will have the permissions for the role.
Yonsy Solis
  • 284
  • 1
  • 9