I know for ec2.py
I can either specify environment variables via export
before calling ec2.py
or use a boto
config file with plain-text passwords (or python keyring).
As I have the aws key and secret in ansible vault anyway, is there a way to auto-export this from the vault or any other means to pass the value to ec2.py
instead of having to specify it again?
Best Answer
Well you could write a simple task to dump the keys from
vault
into theboto3
configuration.credentials.j2
Where
aws_access_key_id
andaws_secret_access_key
could be stored in a vault.The task would than need to be run against the Ansible control host (the host that executes
ansible-playbook
).The keys would than be unencrypted on the Ansible control host. IMHO (I could be wrong here) you need to supply plain AWS keys to boto either via environment variables (
export
command) or via boto configuration.Ansible makes API calls to AWS via boto. Boto is not part of Ansible. So there is no native way to use parameters defined in Ansible in boto. That functionality would have to be part of boto.