Как установить ключи доступа AWS на удаленном сервере EC2 через Ansible?

Question

У меня есть следующий сборник пьесы:

- hosts: localhost 
    connection: local 
    remote_user: test 
    gather_facts: no 

    vars_files: 
    - files/aws_creds.yml 
    - files/info.yml 

    tasks: 
    - name: Basic provisioning of EC2 instance 
     ec2: 
     assign_public_ip: no 
     aws_access_key: "{{ aws_id }}" 
     aws_secret_key: "{{ aws_key }}" 
     region: "{{ aws_region }}" 
     image: "{{ standard_ami }}" 
     instance_type: "{{ free_instance }}" 
     key_name: "{{ ssh_keyname }}" 
     count: 3 
     state: present 
     group_id: "{{ secgroup_id }}" 
     #vpc_subnet_id: "{{ private_subnet_id }}" 
     wait: no 
     #delete_on_termination: yes 
     instance_tags: 
      Name: Dawny33Template 
     register: ec2 



    - name: Add new instance to host group 
     add_host: 
     hostname: "{{ item.public_ip }}" 
     groupname: launched 
     with_items: "{{ ec2.instances }}" 

    - name: Wait for SSH to come up 
     wait_for: 
     host: "{{ item.public_dns_name }}" 
     port: 22 
     delay: 60 
     timeout: 320 
     state: started 
     with_items: "{{ ec2.instances }}" 

    - name: Install dependencies 
     yum: 
     name=git 
     state=present 
     sudo: yes 

    - name: Install Python libs 
     easy_install: 
     name: boto3 
     state: latest 
     sudo: yes 

    - name: check out a git repository 
     git: repo={{ repo_url }} dest=/home/ec2-user/AnsibleDir/GitRepo accept_hostkey=yes force=yes 
     vars: 
     repo_url: https://github.com/Dawny33/AnsibleExperiments 
     become: yes 


    - name: Go to the folder and execute command 
     command: chmod 0755 /home/ec2-user/AnsibleDir/GitRepo/processing.py 
     become: yes 
     become_user: root 

    - name: Set credentials 
     shell: export AWS_ACCESS_KEY_ID='' 
     become: yes 
     become_user: root 

    - name: Set credentials2 
     shell: export AWS_SECRET_ACCESS_KEY='' 
     become: yes 
     become_user: root 

    - name: Run Py script 
     command: /home/ec2-user/AnsibleDir/GitRepo/processing.py {{ N }} {{ bucket_name }} 
     become: yes 
     become_user: root 

    - name: Terminate instances that were previously launched 
     connection: local 
     become: false 
     ec2: 
     state: 'absent' 
     instance_ids: '{{ ec2.instance_ids }}' 
     region: '{{ aws_region }}' 

В этом я извлекаю GIT репозиторий и запустить файл р, который использует бото.

Итак, как мне настроить учетные данные AWS в динамически созданных экземплярах EC2? Есть ли модуль Ansible для этого?

PS: shell модули для экспорта ключей не работают. Они бросают следующую ошибку:

"stderr": "sh: s3cmd: command not found\nTraceback (most recent call last):\n File \"/home/ec2-user/AnsibleDir/GitRepo/processing.py\", line 48, in <module>\n print get_details(N, str(bucket_name))\n File \"/home/ec2-user/AnsibleDir/GitRepo/processing.py\", line 37, in get_details\n for obj in bucket.objects.all():\n File \"/usr/local/lib/python2.7/site-packages/boto3-1.4.4-py2.7.egg/boto3/resources/collection.py\", line 83, in __iter__\n for page in self.pages():\n File \"/usr/local/lib/python2.7/site-packages/boto3-1.4.4-py2.7.egg/boto3/resources/collection.py\", line 166, in pages\n for page in pages:\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/paginate.py\", line 102, in __iter__\n response = self._make_request(current_kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/paginate.py\", line 174, in _make_request\n return self._method(**current_kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/client.py\", line 253, in _api_call\n return self._make_api_call(operation_name, kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/client.py\", line 530, in _make_api_call\n operation_model, request_dict)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/endpoint.py\", line 141, in make_request\n return self._send_request(request_dict, operation_model)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/endpoint.py\", line 166, in _send_request\n request = self.create_request(request_dict, operation_model)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/endpoint.py\", line 150, in create_request\n operation_name=operation_model.name)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/hooks.py\", line 227, in emit\n return self._emit(event_name, kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/hooks.py\", line 210, in _emit\n response = handler(**kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/signers.py\", line 90, in handler\n return self.sign(operation_name, request)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/signers.py\", line 147, in sign\n auth.add_auth(request)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/auth.py\", line 679, in add_auth\n raise NoCredentialsError\nbotocore.exceptions.NoCredentialsError: Unable to locate credentials", 
    "stdout": "", 
    "stdout_lines": [], 
    "warnings": [] 
} 

Скрипт: https://github.com/Dawny33/AnsibleExperiments/blob/master/processing.py

Answer 1

Вы можете сделать одно из следующих действий:

1) Как было предложено @konstantin в комментарии вашего вопроса вы можете экспортируйте ключи в качестве переменных среды.

2) Для развертываний, связанных с AWS/AWS EC2, которые требуют ключей API, вы можете использовать IAM instance roles, которые имеют необходимый доступ, который требуется вашему приложению.