Ansible AWS an Assumed Roles

ANSIBLE&

AWS ASSUMED ROLESA SHORT EXAMPLE

WHO AM I ?

• JAMES MORGAN ( @BIGJIMMYNZ, JIMMY@DRIVENBYDEVOPS.IO )

• DEVOPS TECHNICAL CONSULTANT FOR OPEN SYSTEMS SPECIALISTS

• CLOUD INFRASTRUCTURE, AUTOMATION, CI/CD PROCESSES• BACKGROUND AS SYSADMIN/NOC FOR SAAS

INFRASTRUCTURE AND PLATFORMS

WHAT PROBLEM ARE WE SOLVING?

• INCREASINGLY COMMON TO HAVE MULTIPLE AWS ACCOUNTS• USER ACCESS CONTROLLED FROM CENTRAL ACCOUNT• ROLES ALLOW USERS TO ASSUME PRIVILEGES ACROSS ROLES

WITH TEMP CREDS• ANSIBLE, IN GENERAL, GRABS THE LOCAL DEFAULT CREDS• MANUAL SETUP OF ASSUMED CREDS TO MAKE PLAYBOOKS

SETUP THE AWS CLI

• ADD PROFILES TO THE ~/.AWS/CONFIG AND ~/AWS/CREDENTIALS FILES

• TEST ACCOUNT OPERATION WITH AWS CLI COMMANDS AND ‘—PROFILE’• USEFUL TOOL: HTTPS://GITHUB.COM/DONNEMARTIN/SAWS

• MFA NOT REQUIRED BUT DEPENDENT ON IAM ROLE CONFIGURATION

AWS SECURITY TOKEN SERVICE• ALLOWS REQUESTS FOR TEMPORARY, LIMITED-PRIVILEGE

CREDENTIALS FOR AWS IDENTITY AND ACCESS MANAGEMENT (IAM)

• REQUIRES• EXISTING CREDENTIALS FOR PRIMARY ACCOUNT• THE ROLE ARN TO BECOME• PROFILE NAME• MFA DEVICE ARN IS MFA IS TO BE USED

THE ANSIBLE PART

• VARIABLE DEFINITIONS TO HOLD MULTIPLE CREDENTIALS• VARIABLES CONTAINING STS REQUIRED INFORMATION• PLAYBOOK IMPORTS VARS IN STANDARD ANSIBLE SYNTAX• USE THE STS_ASSUME_ROLE MODULE

• IT RETURNS THE NEW CREDS IN THE TASK OUTPUTS• SET THESE VALUES INTO FACTS• USE THE NEW FACTS AS INPUTS FOR FURTHER TASKS (OR YOU CAN SET

ENVIRONMENT VARS FOR TASKS)

WITH AND WITHOUT STS

• EXAMPLE USES A VAR FLAG THAT TURNS STS FUNCTIONALITY ON/OFF• WHEN CONDITIONAL CAN THEN DISABLE TASKS

• USE “| DEFAULT(OMIT)” IN CREDENTIAL ASSIGNMENTS• THIS WILL ALLOW THE USE OF DEFAULT CREDS WHEN STS=OFF

MFA FUNCTIONALITY

• MFA REQUIREMENTS ARE DETERMINED BY IAM SETUP AND ROLES• NEED TO ACQUIRE THE MFA SERIAL ARN WHICH WILL BE

LOCATED IN YOUR IAM ACCOUNT• IN THE EXAMPLE IT CAN BE TURNED OFF LIKE STS

• REMOVE MFA ARN FROM ~/.AWS/CONFIG• REMOVE MFA ARN FROM ANSIBLE STS VARS (NOT JUST SETTING IT BLANK)• THE TASK WILL THEN OMIT THAT OPTION FROM STS_ASSUME_ROLE

• PLAYBOOK ARGUMENT OR PROMPT FOR TOKEN VALUE INTERACTIVELY

PROBLEMS/LIMITATIONS

• BEEN USING THE LATEST BRANCH OF ANSIBLE• AS CHANGES HAPPEN IN ANSIBLE DEVELOPMENT, THIS CAN CAUSE

ABBERANT EFFECTS IN YOUR CODE• MUST USE LATEST DYNAMIC EC2 INVENTORY SCRIPT

• THE INVENTORY SCRIPT HAS ISSUES WITH MFA REQUIREMENTS

INFO AND EXAMPLE CODE

• BLOG: HTTP://WWW.DRIVENBYDEVOPS.IO/AWS-ANSIBLE-AND-ASSUMED-ROLES

• GITHUB: HTTPS://GITHUB.COM/DARKNESSNZ/ANSIBLE_STS_ASSUME_ROLE

• INVENTORY SCRIPT: HTTPS://RAW.GITHUBUSERCONTENT.COM/ANSIBLE/ANSIBLE/DEVEL/CONTRIB/INVENTORY/EC2.PY

• STS_ASSUME_ROLE: HTTP://DOCS.ANSIBLE.COM/ANSIBLE/STS_ASSUME_ROLE_MODULE.HTML

Ansible AWS an Assumed Roles

Technology

Ansible v2 and Beyond (Ansible NYC Meetup)

Automating AWS with Ansible

ANSIBLE michaellessard Introduction à Ansible - atelier ... · 3 RHUG Ansible Workshop ORDRE DU JOUR Formation Ansible Introduction à Ansible Variables Ansible + LABO Commande Ansible

Bootstrapping Ansible Documents/Ansible_Bootstrap.pdf · Installation vom Satellite + Ansible direkt vom Tower Ansible via Puppet - von Ansible Tower - mit ansible-pull Ansible direkt

Ansible Tower AWS Windows Application Deployment · demo I used ‘ansible-aws-demo’), and the JOB TYPE needs to be ‘Run’. Use the inventory we created in the step prior ‘ansible-aws-demo’,

Ansible 2 and Ansible Galaxy 2

s3.amazonaws.com · AWS Authentication and Region • Ansible Playbooks Ansible Modules Tasks and Modifications Executing a Playbook Frequently Asked Questions Introduction is a tool

Ansible Tower Administration Guide - Ansible Documentation · Ansible Tower Administration Guide, Release Ansible Tower 3.4.1 Ansible Tower counts Managed Nodes by the number of hosts

Ansible Tower Administration Guide...Ansible Tower Administration Guide, Release Ansible Tower 3.1.1 Thank you for your interest in Ansible Tower by Red Hat. Ansible Tower is a commercial

Ansible Tower API Guide - Ansible Documentation · Ansible Tower API Guide, Release Ansible Tower 2.4.5 Thank you for your interest in Ansible Tower by Red Hat. Ansible Tower is a

Introduction to Ansible Collections › 2020 › schedule › event › ansible...Introduction to Ansible Collections Ganesh Nalawade Principal Software Engineer Ansible Engineering

Introduction to Ansible - Tetranoodletetranoodle.com/.../uploads/2017/11/Module-02_Ansible.pdfAnsible Introduction Ansible Playbook YAML Ansible Installation and Configuration Ansible

Ansible-driver Version 1 · 1 Overview of Ansible driver This chapter explains Ansible, AnsibleTower, and Ansible driver. 1.1 About Ansible Ansible is a platform construction automation

Fast, Reliable, Secure, Affordable MongoDB on AWS EC2 · • A configuration management system (AWS OpsWorks, Chef, Ansible, SaltCloud, etc.) configures each new instance upon first

Ansible Tower on the AWS Cloud - Amazon S3 · Amazon Web Services – Ansible Tower on the AWS Cloud May 2017 Page 3 of 35 About This Guide This Quick Start reference deployment guide

AWS and Ansible - Red Hat€¦ · AWS and Ansible Automating Scalable (and Repeatable) Architecture Timothy Appnel, Principal Product Manager, Ansible by Red Hat David Duncan, Partner

Ansible Advanced - FrOSCon · ABOUT INTRODUCTION PLAYBOOKS IN DEEP WHAT’S NEW Amazon AWS Upcoming topics END Ansible Advanced Oleg Fiksel Security Consultant @ …

DevOps · ANSIBLE Introduction to Ansible.Ansible mechanism. Ansible installation in AWS instance.Ansible configuration.Playing with ansible adhoc commands.Creating simple play book.Playbook

Ansible on AWS

Ansible + Hadoop - Fierce Softwarefiercesw.com/wp-content/uploads/2017/02/ansible-nova-hortonworks...Prepare Infrastructure ... ansible-hadoop ... Easily created an AWS environment