Ansible Berlin Presentation

1. Assuming AWS-roles in Playbooks
Doug Bridgens
heyjobs.de
27/Nov/2018
(experimental)

2. AWS Multi-Account Best Practice

3. Ansible + Admin Account = BFG

4. aws_assume_role_wrapper
- pre-checks
- try load from cache
- else call AWS sts-assume-role
- set convenience vars
- save tokens to cache

5. pre-checks
# tasks file for roles/aws_assume_role_wrapper
- name: Get the current caller identity facts
aws_caller_facts:
register: aws_caller_facts
- name: set caller facts
set_fact:
aws_user_name: "{{ aws_caller_facts.arn.split('/')[1] }}"
aws_user_account: "{{ aws_caller_facts.account }}"
- name: ensure we have a username set
fail:
msg: "aws_user_name or aws_user_account not defined..."
when:
- aws_user_name is undefined
- aws_user_account is undefined

6. Try load from cache
# tasks file for roles/aws_assume_role_wrapper
- name: "Check for {{ cache_path }}{{ cache_file_name }}"
find:
path: "{{ cache_path }}"
file_type: file
age: "{{ cache_time }}"
age_stamp: mtime
patterns: "{{ cache_file_name }}"
register: stat_cache_file
- include_vars:
file: "{{ cache_path }}{{ cache_file_name }}"
name: aws_assume_role
when:
- stat_cache_file.matched == 1
- stat_cache_file.files[0].size > 0
# defaults file for roles/aws_assume_role_wrapper
cache_path: ~/.aws/
cache_file_name: “ansible_aws_assume_role.
{{ aws_account_id }}.{{ aws_role_session_name }}.cache"
cache_time: -10m
vars:
tasks:

7. Else, call assume-role
# tasks file for roles/aws_assume_role_wrapper
- name: require user supplied MFA code
pause:
prompt: "Enter mfa to assume role: {{ aws_role_session_name }}"
register: user_supplied_mfa_code
when:
- aws_assume_role is undefined
- name: call aws-assume-role to get temp sts credentials
sts_assume_role:
mfa_serial_number: "arn:aws:iam::{{ aws_user_account }}:mfa/{{ aws_user_name }}"
mfa_token: "{{ user_supplied_mfa_code.user_input }}"
role_arn: "{{ switch_to_aws_role_arn }}"
role_session_name: "{{ aws_role_session_name }}"
register: assumed_role
when:
- aws_assume_role is undefined

8. Set facts (vars)
# tasks file for roles/aws_assume_role_wrapper
- name: convenience vars for AWS assumed-role credentials
set_fact:
sts_aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
sts_aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
sts_security_token: "{{ assumed_role.sts_creds.session_token }}"
sts_assumed_role_id: "{{ assumed_role.sts_user.assumed_role_id }}"
when:
- aws_assume_role is undefined

9. Finally Cache Credentials
# tasks file for roles/aws_assume_role_wrapper
- name: "cache aws-assume-role sts credentials to {{ cache_path }}{{ cache_file_name }}"
copy:
content: "{{ assumed_role }}"
dest: "{{ cache_path }}{{ cache_file_name }}"
when:
- aws_assume_role is undefined

10. Using Assume-Role in Playbooks

11. Using Assume-Role in Tasks
---
# tasks file for roles/aws_iam_create_dev_users
- name: "Create users: using {{ sts_assumed_role_id }}"
iam_user:
name: "{{ create_user }}"
state: present
aws_access_key: "{{ sts_aws_access_key }}"
aws_secret_key: "{{ sts_aws_secret_key }}"
security_token: "{{ sts_security_token }}"

12. Demo

13. Summary
Enables easy use of granular AWS-roles
Will be extended to override MFA requirement
Could be improved with cleaner caching mechanism

14. EOF