From bdae0aab5551cb601bb3a1115ed458c6c8dc376e Mon Sep 17 00:00:00 2001 From: Michael Smith Date: Tue, 2 Apr 2019 12:18:11 -0700 Subject: [PATCH] Add a hack to make AWS Roles usable Enable using a manually-generated session token for AWS Roles. A better solution would be to use https://docs.ansible.com/ansible/latest/modules/sts_assume_role_module.html, but I'm not sure how to add the conditional logic required to add that to the Streisand setup workflow. --- playbooks/amazon.yml | 10 ++++++++++ playbooks/roles/ec2-security-group/tasks/main.yml | 8 ++++++++ playbooks/roles/genesis-amazon/tasks/main.yml | 6 ++++++ 3 files changed, 24 insertions(+) diff --git a/playbooks/amazon.yml b/playbooks/amazon.yml index 1a013cef0..f9de2a19b 100644 --- a/playbooks/amazon.yml +++ b/playbooks/amazon.yml @@ -91,6 +91,16 @@ prompt: "\nWhat is your AWS Secret Access Key?\n" private: no + - name: "aws_session_token" + prompt: | + If you use AWS Roles, see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html + then get a session token by running 'aws sts get-caller-identity --profile ' and finding + it in ~/.aws/cli/cache/*.json. + + What is your AWS Session Token? Press enter for default (no token). + default: "" + private: no + - name: "confirmation" prompt: "\nStreisand will now set up your server. This process usually takes around ten minutes. Press Enter to begin setup...\n" diff --git a/playbooks/roles/ec2-security-group/tasks/main.yml b/playbooks/roles/ec2-security-group/tasks/main.yml index 849cc83a3..c0b0f0d74 100644 --- a/playbooks/roles/ec2-security-group/tasks/main.yml +++ b/playbooks/roles/ec2-security-group/tasks/main.yml @@ -7,6 +7,7 @@ vpc_id: "{{ aws_vpc_id | default(omit) }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" - name: Pause for fifteen seconds to ensure the EC2 security group has been created pause: @@ -20,6 +21,7 @@ vpc_id: "{{ aws_vpc_id | default(omit) }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" rules: # Nginx # --- @@ -55,6 +57,7 @@ vpc_id: "{{ aws_vpc_id | default(omit) }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" purge_rules: no purge_rules_egress: no rules: @@ -82,6 +85,7 @@ vpc_id: "{{ aws_vpc_id | default(omit) }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" purge_rules: no purge_rules_egress: no rules: @@ -109,6 +113,7 @@ vpc_id: "{{ aws_vpc_id | default(omit) }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" purge_rules: no purge_rules_egress: no rules: @@ -130,6 +135,7 @@ vpc_id: "{{ aws_vpc_id | default(omit) }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" purge_rules: no purge_rules_egress: no rules: @@ -157,6 +163,7 @@ vpc_id: "{{ aws_vpc_id | default(omit) }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" purge_rules: no purge_rules_egress: no rules: @@ -184,6 +191,7 @@ vpc_id: "{{ aws_vpc_id | default(omit) }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" purge_rules: no purge_rules_egress: no rules: diff --git a/playbooks/roles/genesis-amazon/tasks/main.yml b/playbooks/roles/genesis-amazon/tasks/main.yml index 003be7e5c..89b40ae97 100644 --- a/playbooks/roles/genesis-amazon/tasks/main.yml +++ b/playbooks/roles/genesis-amazon/tasks/main.yml @@ -13,6 +13,7 @@ state: absent aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" region: "{{ aws_region }}" wait: yes @@ -22,6 +23,7 @@ key_material: "{{ ssh_key.stdout }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" region: "{{ aws_region }}" wait: yes @@ -29,6 +31,7 @@ ec2_ami_facts: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" owners: "{{ aws_ami_owner }}" region: "{{ aws_region }}" filters: @@ -39,6 +42,7 @@ ec2: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" instance_type: "{{ aws_instance_type }}" image: "{{ ami.images|sort(reverse=True,attribute='name')|map(attribute='image_id')|first }}" region: "{{ aws_region }}" @@ -58,6 +62,7 @@ state: present aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" region: "{{ aws_region }}" namespace: "AWS/EC2" metric: StatusCheckFailed_System @@ -83,6 +88,7 @@ ec2_eip: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ aws_session_token }}" region: "{{ aws_region }}" device_id: "{{ streisand_server.instances[0].id }}" in_vpc: "{{ aws_vpc_id is defined and aws_vpc_id != '' }}"