Upload File

ansible aws an assumed roles

10
ANSIBLE & AWS ASSUMED ROLES A SHORT EXAMPLE

Upload: james-morgan

Post on 23-Jan-2017

62 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: Ansible AWS an Assumed Roles

ANSIBLE&

AWS ASSUMED ROLESA SHORT EXAMPLE

Page 2: Ansible AWS an Assumed Roles

WHO AM I ?

• JAMES MORGAN ( @BIGJIMMYNZ, [email protected] )

• DEVOPS TECHNICAL CONSULTANT FOR OPEN SYSTEMS SPECIALISTS

• CLOUD INFRASTRUCTURE, AUTOMATION, CI/CD PROCESSES• BACKGROUND AS SYSADMIN/NOC FOR SAAS

INFRASTRUCTURE AND PLATFORMS

mailto:[email protected]
Page 3: Ansible AWS an Assumed Roles

WHAT PROBLEM ARE WE SOLVING?

• INCREASINGLY COMMON TO HAVE MULTIPLE AWS ACCOUNTS• USER ACCESS CONTROLLED FROM CENTRAL ACCOUNT• ROLES ALLOW USERS TO ASSUME PRIVILEGES ACROSS ROLES

WITH TEMP CREDS• ANSIBLE, IN GENERAL, GRABS THE LOCAL DEFAULT CREDS• MANUAL SETUP OF ASSUMED CREDS TO MAKE PLAYBOOKS

WORK

Page 4: Ansible AWS an Assumed Roles

SETUP THE AWS CLI

• ADD PROFILES TO THE ~/.AWS/CONFIG AND ~/AWS/CREDENTIALS FILES

• TEST ACCOUNT OPERATION WITH AWS CLI COMMANDS AND ‘—PROFILE’• USEFUL TOOL: HTTPS://GITHUB.COM/DONNEMARTIN/SAWS

• MFA NOT REQUIRED BUT DEPENDENT ON IAM ROLE CONFIGURATION

https://github.com/donnemartin/saws
https://github.com/donnemartin/saws
Page 5: Ansible AWS an Assumed Roles

AWS SECURITY TOKEN SERVICE• ALLOWS REQUESTS FOR TEMPORARY, LIMITED-PRIVILEGE

CREDENTIALS FOR AWS IDENTITY AND ACCESS MANAGEMENT (IAM)

• REQUIRES• EXISTING CREDENTIALS FOR PRIMARY ACCOUNT• THE ROLE ARN TO BECOME• PROFILE NAME• MFA DEVICE ARN IS MFA IS TO BE USED

Page 6: Ansible AWS an Assumed Roles

THE ANSIBLE PART

• VARIABLE DEFINITIONS TO HOLD MULTIPLE CREDENTIALS• VARIABLES CONTAINING STS REQUIRED INFORMATION• PLAYBOOK IMPORTS VARS IN STANDARD ANSIBLE SYNTAX• USE THE STS_ASSUME_ROLE MODULE

• IT RETURNS THE NEW CREDS IN THE TASK OUTPUTS• SET THESE VALUES INTO FACTS• USE THE NEW FACTS AS INPUTS FOR FURTHER TASKS (OR YOU CAN SET

ENVIRONMENT VARS FOR TASKS)

Page 7: Ansible AWS an Assumed Roles

WITH AND WITHOUT STS

• EXAMPLE USES A VAR FLAG THAT TURNS STS FUNCTIONALITY ON/OFF• WHEN CONDITIONAL CAN THEN DISABLE TASKS

• USE “| DEFAULT(OMIT)” IN CREDENTIAL ASSIGNMENTS• THIS WILL ALLOW THE USE OF DEFAULT CREDS WHEN STS=OFF

Page 8: Ansible AWS an Assumed Roles

MFA FUNCTIONALITY

• MFA REQUIREMENTS ARE DETERMINED BY IAM SETUP AND ROLES• NEED TO ACQUIRE THE MFA SERIAL ARN WHICH WILL BE

LOCATED IN YOUR IAM ACCOUNT• IN THE EXAMPLE IT CAN BE TURNED OFF LIKE STS

• REMOVE MFA ARN FROM ~/.AWS/CONFIG• REMOVE MFA ARN FROM ANSIBLE STS VARS (NOT JUST SETTING IT BLANK)• THE TASK WILL THEN OMIT THAT OPTION FROM STS_ASSUME_ROLE

• PLAYBOOK ARGUMENT OR PROMPT FOR TOKEN VALUE INTERACTIVELY

Page 9: Ansible AWS an Assumed Roles

PROBLEMS/LIMITATIONS

• BEEN USING THE LATEST BRANCH OF ANSIBLE• AS CHANGES HAPPEN IN ANSIBLE DEVELOPMENT, THIS CAN CAUSE

ABBERANT EFFECTS IN YOUR CODE• MUST USE LATEST DYNAMIC EC2 INVENTORY SCRIPT

• THE INVENTORY SCRIPT HAS ISSUES WITH MFA REQUIREMENTS

Page 10: Ansible AWS an Assumed Roles

INFO AND EXAMPLE CODE

• BLOG: HTTP://WWW.DRIVENBYDEVOPS.IO/AWS-ANSIBLE-AND-ASSUMED-ROLES

• GITHUB: HTTPS://GITHUB.COM/DARKNESSNZ/ANSIBLE_STS_ASSUME_ROLE

• INVENTORY SCRIPT: HTTPS://RAW.GITHUBUSERCONTENT.COM/ANSIBLE/ANSIBLE/DEVEL/CONTRIB/INVENTORY/EC2.PY

• STS_ASSUME_ROLE: HTTP://DOCS.ANSIBLE.COM/ANSIBLE/STS_ASSUME_ROLE_MODULE.HTML

http://www.drivenbydevops.io/aws-ansible-and-assumed-roles
http://www.drivenbydevops.io/aws-ansible-and-assumed-roles
https://github.com/darknessnz/ansible_sts_assume_role
https://raw.githubusercontent.com/ansible/ansible/devel/contrib/inventory/ec2.py
https://raw.githubusercontent.com/ansible/ansible/devel/contrib/inventory/ec2.py
https://raw.githubusercontent.com/ansible/ansible/devel/contrib/inventory/ec2.py
http://docs.ansible.com/ansible/sts_assume_role_module.html
http://docs.ansible.com/ansible/sts_assume_role_module.html

Operators with Kubernetes Ansible - Fierce Software · Ansible NOVA Meetup May 30, 2019 Kubernetes Operators with Ansible Tim Appnel Senior Product Manager, Ansible. The Ansible Operator

Ansible Tower Introduction to Ansible Engine and

Ansible + Hadoop - Fierce Softwarefiercesw.com/wp-content/uploads/2017/02/ansible-nova-hortonworks...Prepare Infrastructure ... ansible-hadoop ... Easily created an AWS environment

Ansible Tower on the AWS Cloud - Amazon S3 · Amazon Web Services – Ansible Tower on the AWS Cloud May 2017 Page 3 of 35 About This Guide This Quick Start reference deployment guide

Ansible from Introduction to Amazon AWS

Ansible Advanced - FrOSCon · ABOUT INTRODUCTION PLAYBOOKS IN DEEP WHAT’S NEW Amazon AWS Upcoming topics END Ansible Advanced Oleg Fiksel Security Consultant @ …

AWS as a code - using ansible

Ansible 101 - Presentation at Ansible STL Meetup

Go Faster with Ansible (AWS meetup)

Ansible Tower on the AWS Cloud - · PDF fileAnsible Tower on the AWS Cloud Quick Start Reference Deployment Tony Vattathil Solutions Architect, AWS Quick Start Reference Team April

AWS - Infoblox · Automated IP and DNS provisioning of apps in AWS for faster time-to-market . Demo. Feature Spotlight: API Proxy AWS API Client (Eg: Ansible, Puppet, Chef scripts

Micro services infrastructure with AWS and Ansible

Ansible and AWS

Introduction to Ansible - Tetranoodletetranoodle.com/.../uploads/2017/11/Module-02_Ansible.pdfAnsible Introduction Ansible Playbook YAML Ansible Installation and Configuration Ansible

Fast, Reliable, Secure, Affordable MongoDB on AWS EC2 · • A configuration management system (AWS OpsWorks, Chef, Ansible, SaltCloud, etc.) configures each new instance upon first

Ansible ハンズオン on AWS - DevelopersIO 2017

Ansible for DevOps - mindg.cn | Python Aws DevOps · AnsibleforDevOps Serverandconfigurationmanagementforhumans JeffGeerling Thisbookisforsaleat

Formations - INEAT academy€¦ · Docker Rancher Ansible Terraform Sécurité AWS Scrum Jira Confluence Design Thinking Business Intelligence Elassandra Cassandra Elasticsearch Qualité

Ansible v2 and Beyond (Ansible NYC Meetup)

Automating AWS with Ansible

Ansible Tower Introduction to Ansible Engine and · application environments in Ansible Playbooks. Ansible Engine is a supported product built from the Ansible community project

Bootstrapping Ansible Documents/Ansible_Bootstrap.pdf · Installation vom Satellite + Ansible direkt vom Tower Ansible via Puppet - von Ansible Tower - mit ansible-pull Ansible direkt

Developing Ansible Playbooks on Windows · Ansible : Copy folder to Remote Host Ansible. Run Ansible Playbook in Cloud Shell Ansible. Run Ansible Playbook in Docker Ansible. Run Ansible

DevOps · ANSIBLE Introduction to Ansible.Ansible mechanism. Ansible installation in AWS instance.Ansible configuration.Playing with ansible adhoc commands.Creating simple play book.Playbook

ANSIBLE michaellessard Introduction à Ansible - atelier ... · 3 RHUG Ansible Workshop ORDRE DU JOUR Formation Ansible Introduction à Ansible Variables Ansible + LABO Commande Ansible

Ansible, MongoDB Ops Manager and AWS v1.1

Introduction to Ansible Collections › 2020 › schedule › event › ansible...Introduction to Ansible Collections Ganesh Nalawade Principal Software Engineer Ansible Engineering

Provisioning using Ansible in AWS

Ansible Tower AWS Windows Application Deployment · demo I used ‘ansible-aws-demo’), and the JOB TYPE needs to be ‘Run’. Use the inventory we created in the step prior ‘ansible-aws-demo’,

IT Automation with Ansible-Tower : Introduction to Ansible & Ansible Tower

Ansible on AWS

AWS and Ansible - Red Hat€¦ · AWS and Ansible Automating Scalable (and Repeatable) Architecture Timothy Appnel, Principal Product Manager, Ansible by Red Hat David Duncan, Partner

AWS での Ansible Tower - クイックスタートリファレ … · AWS での Ansible Tower クイックス タートリファレンスデプロイガイド AWS クラウドでの

Ansible-driver Version 1 · 1 Overview of Ansible driver This chapter explains Ansible, AnsibleTower, and Ansible driver. 1.1 About Ansible Ansible is a platform construction automation

DevOps in a Regulated World - aka 'Ansible, AWS, and Jenkins