Ansible AWS an Assumed Roles
-
Upload
james-morgan -
Category
Technology
-
view
60 -
download
0
Transcript of Ansible AWS an Assumed Roles
![Page 1: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/1.jpg)
ANSIBLE&
AWS ASSUMED ROLESA SHORT EXAMPLE
![Page 2: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/2.jpg)
WHO AM I ?
• JAMES MORGAN ( @BIGJIMMYNZ, [email protected] )
• DEVOPS TECHNICAL CONSULTANT FOR OPEN SYSTEMS SPECIALISTS
• CLOUD INFRASTRUCTURE, AUTOMATION, CI/CD PROCESSES• BACKGROUND AS SYSADMIN/NOC FOR SAAS
INFRASTRUCTURE AND PLATFORMS
![Page 3: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/3.jpg)
WHAT PROBLEM ARE WE SOLVING?
• INCREASINGLY COMMON TO HAVE MULTIPLE AWS ACCOUNTS• USER ACCESS CONTROLLED FROM CENTRAL ACCOUNT• ROLES ALLOW USERS TO ASSUME PRIVILEGES ACROSS ROLES
WITH TEMP CREDS• ANSIBLE, IN GENERAL, GRABS THE LOCAL DEFAULT CREDS• MANUAL SETUP OF ASSUMED CREDS TO MAKE PLAYBOOKS
WORK
![Page 4: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/4.jpg)
SETUP THE AWS CLI
• ADD PROFILES TO THE ~/.AWS/CONFIG AND ~/AWS/CREDENTIALS FILES
• TEST ACCOUNT OPERATION WITH AWS CLI COMMANDS AND ‘—PROFILE’• USEFUL TOOL: HTTPS://GITHUB.COM/DONNEMARTIN/SAWS
• MFA NOT REQUIRED BUT DEPENDENT ON IAM ROLE CONFIGURATION
![Page 5: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/5.jpg)
AWS SECURITY TOKEN SERVICE• ALLOWS REQUESTS FOR TEMPORARY, LIMITED-PRIVILEGE
CREDENTIALS FOR AWS IDENTITY AND ACCESS MANAGEMENT (IAM)
• REQUIRES• EXISTING CREDENTIALS FOR PRIMARY ACCOUNT• THE ROLE ARN TO BECOME• PROFILE NAME• MFA DEVICE ARN IS MFA IS TO BE USED
![Page 6: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/6.jpg)
THE ANSIBLE PART
• VARIABLE DEFINITIONS TO HOLD MULTIPLE CREDENTIALS• VARIABLES CONTAINING STS REQUIRED INFORMATION• PLAYBOOK IMPORTS VARS IN STANDARD ANSIBLE SYNTAX• USE THE STS_ASSUME_ROLE MODULE
• IT RETURNS THE NEW CREDS IN THE TASK OUTPUTS• SET THESE VALUES INTO FACTS• USE THE NEW FACTS AS INPUTS FOR FURTHER TASKS (OR YOU CAN SET
ENVIRONMENT VARS FOR TASKS)
![Page 7: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/7.jpg)
WITH AND WITHOUT STS
• EXAMPLE USES A VAR FLAG THAT TURNS STS FUNCTIONALITY ON/OFF• WHEN CONDITIONAL CAN THEN DISABLE TASKS
• USE “| DEFAULT(OMIT)” IN CREDENTIAL ASSIGNMENTS• THIS WILL ALLOW THE USE OF DEFAULT CREDS WHEN STS=OFF
![Page 8: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/8.jpg)
MFA FUNCTIONALITY
• MFA REQUIREMENTS ARE DETERMINED BY IAM SETUP AND ROLES• NEED TO ACQUIRE THE MFA SERIAL ARN WHICH WILL BE
LOCATED IN YOUR IAM ACCOUNT• IN THE EXAMPLE IT CAN BE TURNED OFF LIKE STS
• REMOVE MFA ARN FROM ~/.AWS/CONFIG• REMOVE MFA ARN FROM ANSIBLE STS VARS (NOT JUST SETTING IT BLANK)• THE TASK WILL THEN OMIT THAT OPTION FROM STS_ASSUME_ROLE
• PLAYBOOK ARGUMENT OR PROMPT FOR TOKEN VALUE INTERACTIVELY
![Page 9: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/9.jpg)
PROBLEMS/LIMITATIONS
• BEEN USING THE LATEST BRANCH OF ANSIBLE• AS CHANGES HAPPEN IN ANSIBLE DEVELOPMENT, THIS CAN CAUSE
ABBERANT EFFECTS IN YOUR CODE• MUST USE LATEST DYNAMIC EC2 INVENTORY SCRIPT
• THE INVENTORY SCRIPT HAS ISSUES WITH MFA REQUIREMENTS
![Page 10: Ansible AWS an Assumed Roles](https://reader035.fdocuments.in/reader035/viewer/2022070513/5885f0131a28ab864f8b5ac7/html5/thumbnails/10.jpg)
INFO AND EXAMPLE CODE
• BLOG: HTTP://WWW.DRIVENBYDEVOPS.IO/AWS-ANSIBLE-AND-ASSUMED-ROLES
• GITHUB: HTTPS://GITHUB.COM/DARKNESSNZ/ANSIBLE_STS_ASSUME_ROLE
• INVENTORY SCRIPT: HTTPS://RAW.GITHUBUSERCONTENT.COM/ANSIBLE/ANSIBLE/DEVEL/CONTRIB/INVENTORY/EC2.PY
• STS_ASSUME_ROLE: HTTP://DOCS.ANSIBLE.COM/ANSIBLE/STS_ASSUME_ROLE_MODULE.HTML