Date post: | 23-Jan-2017 |
Category: |
Technology |
Upload: | james-morgan |
View: | 61 times |
Download: | 0 times |
ANSIBLE&
AWS ASSUMED ROLESA SHORT EXAMPLE
WHO AM I ?
• JAMES MORGAN ( @BIGJIMMYNZ, [email protected] )
• DEVOPS TECHNICAL CONSULTANT FOR OPEN SYSTEMS SPECIALISTS
• CLOUD INFRASTRUCTURE, AUTOMATION, CI/CD PROCESSES• BACKGROUND AS SYSADMIN/NOC FOR SAAS
INFRASTRUCTURE AND PLATFORMS
WHAT PROBLEM ARE WE SOLVING?
• INCREASINGLY COMMON TO HAVE MULTIPLE AWS ACCOUNTS• USER ACCESS CONTROLLED FROM CENTRAL ACCOUNT• ROLES ALLOW USERS TO ASSUME PRIVILEGES ACROSS ROLES
WITH TEMP CREDS• ANSIBLE, IN GENERAL, GRABS THE LOCAL DEFAULT CREDS• MANUAL SETUP OF ASSUMED CREDS TO MAKE PLAYBOOKS
WORK
SETUP THE AWS CLI
• ADD PROFILES TO THE ~/.AWS/CONFIG AND ~/AWS/CREDENTIALS FILES
• TEST ACCOUNT OPERATION WITH AWS CLI COMMANDS AND ‘—PROFILE’• USEFUL TOOL: HTTPS://GITHUB.COM/DONNEMARTIN/SAWS
• MFA NOT REQUIRED BUT DEPENDENT ON IAM ROLE CONFIGURATION
AWS SECURITY TOKEN SERVICE• ALLOWS REQUESTS FOR TEMPORARY, LIMITED-PRIVILEGE
CREDENTIALS FOR AWS IDENTITY AND ACCESS MANAGEMENT (IAM)
• REQUIRES• EXISTING CREDENTIALS FOR PRIMARY ACCOUNT• THE ROLE ARN TO BECOME• PROFILE NAME• MFA DEVICE ARN IS MFA IS TO BE USED
THE ANSIBLE PART
• VARIABLE DEFINITIONS TO HOLD MULTIPLE CREDENTIALS• VARIABLES CONTAINING STS REQUIRED INFORMATION• PLAYBOOK IMPORTS VARS IN STANDARD ANSIBLE SYNTAX• USE THE STS_ASSUME_ROLE MODULE
• IT RETURNS THE NEW CREDS IN THE TASK OUTPUTS• SET THESE VALUES INTO FACTS• USE THE NEW FACTS AS INPUTS FOR FURTHER TASKS (OR YOU CAN SET
ENVIRONMENT VARS FOR TASKS)
WITH AND WITHOUT STS
• EXAMPLE USES A VAR FLAG THAT TURNS STS FUNCTIONALITY ON/OFF• WHEN CONDITIONAL CAN THEN DISABLE TASKS
• USE “| DEFAULT(OMIT)” IN CREDENTIAL ASSIGNMENTS• THIS WILL ALLOW THE USE OF DEFAULT CREDS WHEN STS=OFF
MFA FUNCTIONALITY
• MFA REQUIREMENTS ARE DETERMINED BY IAM SETUP AND ROLES• NEED TO ACQUIRE THE MFA SERIAL ARN WHICH WILL BE
LOCATED IN YOUR IAM ACCOUNT• IN THE EXAMPLE IT CAN BE TURNED OFF LIKE STS
• REMOVE MFA ARN FROM ~/.AWS/CONFIG• REMOVE MFA ARN FROM ANSIBLE STS VARS (NOT JUST SETTING IT BLANK)• THE TASK WILL THEN OMIT THAT OPTION FROM STS_ASSUME_ROLE
• PLAYBOOK ARGUMENT OR PROMPT FOR TOKEN VALUE INTERACTIVELY
PROBLEMS/LIMITATIONS
• BEEN USING THE LATEST BRANCH OF ANSIBLE• AS CHANGES HAPPEN IN ANSIBLE DEVELOPMENT, THIS CAN CAUSE
ABBERANT EFFECTS IN YOUR CODE• MUST USE LATEST DYNAMIC EC2 INVENTORY SCRIPT
• THE INVENTORY SCRIPT HAS ISSUES WITH MFA REQUIREMENTS
INFO AND EXAMPLE CODE
• BLOG: HTTP://WWW.DRIVENBYDEVOPS.IO/AWS-ANSIBLE-AND-ASSUMED-ROLES
• GITHUB: HTTPS://GITHUB.COM/DARKNESSNZ/ANSIBLE_STS_ASSUME_ROLE
• INVENTORY SCRIPT: HTTPS://RAW.GITHUBUSERCONTENT.COM/ANSIBLE/ANSIBLE/DEVEL/CONTRIB/INVENTORY/EC2.PY
• STS_ASSUME_ROLE: HTTP://DOCS.ANSIBLE.COM/ANSIBLE/STS_ASSUME_ROLE_MODULE.HTML