1

Normally, when we are using ansible ec2 module to do operations, it is like this:

- name: Creating ELB
  ec2_elb_lb:
    aws_access_key: "{{ AWS_ACCESS_KEY_ID }}"
    aws_secret_key: "{{ AWS_SECRET_ACCESS_KEY }}"
    region: "{{ AWS_REGION }}"
    state: present
    name: "{{ item.name }}"
...

However, it will expose AWS Key pairs directly in source code. So I tried to attach IAM role to AWS EC2.

But I don't know how does ansible ec2 module use IAM role to get permissions to operate aws resources(such as create new ELB) if
aws_access_key: "{{ AWS_ACCESS_KEY_ID }}" aws_secret_key: "{{ AWS_SECRET_ACCESS_KEY }}" are not passed to ec2 module.

Can anyone help me with this? How can I implement this function if using IAM role?

user2896821
  • 21
  • 1
  • 2
  • 2
    Yes, Ansible's AWS modules will use an IAM role if they can find one **attached to the instance they're executing on**. – ceejayoz Feb 24 '18 at 04:35
  • @ceejayoz Thanks for your reply. I've learned that, keys will be retrieved by following procedure: credentials --> environment variable --> instance metadata. Then, if my existing ec2 instance has already has ~.aws/credentials, should I delete it first in case ansible will read from it instead of its IAM role? – user2896821 Feb 24 '18 at 06:50
  • Please do not post [the same question](https://stackoverflow.com/q/48959063) on multiple StackExchange sites. – techraf Feb 24 '18 at 07:06
  • @user2896821 Yes, I'd remove the credentials file if you want it to use the role. – ceejayoz Feb 24 '18 at 14:16
  • 2
    Yes, it should work as ansible usage boto and boto falls back to IAM role(of aws resource i.e your instance from where you are going to execute ansible ) if aws access/secret key not provided explicitly. Give it a try. – Pratap Feb 25 '18 at 17:16

0 Answers0