Ansible – dynamic aws inventory: read vault variable for ec2.py key and secret

amazon ec2amazon-web-servicesansibleboto

I know for ec2.py I can either specify environment variables via export before calling ec2.py or use a boto config file with plain-text passwords (or python keyring).

As I have the aws key and secret in ansible vault anyway, is there a way to auto-export this from the vault or any other means to pass the value to ec2.py instead of having to specify it again?

Best Answer

Well you could write a simple task to dump the keys from vault into the boto3 configuration.

---
- name: Ensure AWS credentials configuration is present.
  template:
    src: credentials.j2
    dest: "/home/{{ ansible_user }}/.aws/credentials"

credentials.j2

[default]
aws_access_key_id = {{ aws_access_key_id }}
aws_secret_access_key = {{ aws_secret_access_key }}

Where aws_access_key_id and aws_secret_access_key could be stored in a vault.

The task would than need to be run against the Ansible control host (the host that executes ansible-playbook).

The keys would than be unencrypted on the Ansible control host. IMHO (I could be wrong here) you need to supply plain AWS keys to boto either via environment variables (export command) or via boto configuration.

Ansible makes API calls to AWS via boto. Boto is not part of Ansible. So there is no native way to use parameters defined in Ansible in boto. That functionality would have to be part of boto.

Related Topic