[cloud][contrib] IAM role support for EC2 dynamic inventory (#15196)

* EC2 inventory can now connect using an IAM role

* Fix comment indentation

* Make sure that Ec2Inventory.iam_role is always defined

* Add missing import
pull/22844/head
Rune T. Sorensen 8 years ago committed by Ryan Brown
parent 3585d3d368
commit 6804d69557

@ -179,6 +179,11 @@ stack_filters = False
# (ex. webservers15, webservers1a, webservers123 etc)
# instance_filters = tag:Name=webservers1*
# An IAM role can be assumed, so all requests are run as that role.
# This can be useful for connecting across different accounts, or to limit user
# access
# iam_role = role-arn
# A boto configuration profile may be used to separate out credentials
# see http://boto.readthedocs.org/en/latest/boto_config_tut.html
# boto_profile = some-boto-profile-name

@ -132,6 +132,7 @@ from boto import ec2
from boto import rds
from boto import elasticache
from boto import route53
from boto import sts
import six
from ansible.module_utils import ec2 as ec2_utils
@ -421,6 +422,12 @@ class Ec2Inventory(object):
else:
self.replace_dash_in_groups = True
# IAM role to assume for connection
if config.has_option('ec2', 'iam_role'):
self.iam_role = config.get('ec2', 'iam_role')
else:
self.iam_role = None
# Configure which groups should be created.
group_by_options = [
'group_by_instance_id',
@ -548,6 +555,13 @@ class Ec2Inventory(object):
connect_args['profile_name'] = self.boto_profile
self.boto_fix_security_token_in_profile(connect_args)
if self.iam_role:
sts_conn = sts.connect_to_region(region, **connect_args)
role = sts_conn.assume_role(self.iam_role, 'ansible_dynamic_inventory')
connect_args['aws_access_key_id'] = role.credentials.access_key
connect_args['aws_secret_access_key'] = role.credentials.secret_key
connect_args['security_token'] = role.credentials.session_token
conn = module.connect_to_region(region, **connect_args)
# connect_to_region will fail "silently" by returning None if the region name is wrong or not supported
if conn is None:

Loading…
Cancel
Save