Add a hack to make AWS Roles usable

Enable using a manually-generated session token for AWS Roles. A better solution would be to use https://docs.ansible.com/ansible/latest/modules/sts_assume_role_module.html, but I'm not sure how to add the conditional logic required to add that to the Streisand setup workflow.
StreisandEffect · Apr 2, 2019 · 88769e9 · 88769e9
1 parent 8f06cad
commit 88769e9
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/playbooks/amazon.yml b/playbooks/amazon.yml
@@ -63,7 +63,6 @@
 
  - name: "aws_vpc_id_var"
  prompt: |
-
  In which VPC would you like to create the server and security group
  (e.g. vpc-89d740ee)?
 
@@ -72,7 +71,6 @@
 
  - name: "aws_vpc_subnet_id_var"
  prompt: |
-
  From which subnet should the server receive an address (e.g. subnet-78d9a232)?
 
  Press enter to use the default subnet.
@@ -91,6 +89,16 @@
  prompt: "\nWhat is your AWS Secret Access Key?\n"
  private: no
 
+ - name: "aws_session_token"
+ prompt: |
+ If you use AWS Roles, see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
+ then get a session token by running 'aws sts get-caller-identity --profile <profile>' and finding
+ it in ~/.aws/cli/cache/*.json.
+
+ What is your AWS Session Token? Press enter for default (no token).
+ default: ""
+ private: no
+
  - name: "confirmation"
  prompt: "\nStreisand will now set up your server. This process usually takes around ten minutes. Press Enter to begin setup...\n"
 

diff --git a/playbooks/roles/ec2-security-group/tasks/main.yml b/playbooks/roles/ec2-security-group/tasks/main.yml
@@ -7,6 +7,7 @@
  vpc_id: "{{ aws_vpc_id | default(omit) }}"
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
 
 - name: Pause for fifteen seconds to ensure the EC2 security group has been created
  pause:
@@ -20,6 +21,7 @@
  vpc_id: "{{ aws_vpc_id | default(omit) }}"
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  rules:
  # Nginx
  # ---
@@ -55,6 +57,7 @@
  vpc_id: "{{ aws_vpc_id | default(omit) }}"
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  purge_rules: no
  purge_rules_egress: no
  rules:
@@ -82,6 +85,7 @@
  vpc_id: "{{ aws_vpc_id | default(omit) }}"
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  purge_rules: no
  purge_rules_egress: no
  rules:
@@ -109,6 +113,7 @@
  vpc_id: "{{ aws_vpc_id | default(omit) }}"
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  purge_rules: no
  purge_rules_egress: no
  rules:
@@ -130,6 +135,7 @@
  vpc_id: "{{ aws_vpc_id | default(omit) }}"
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  purge_rules: no
  purge_rules_egress: no
  rules:
@@ -157,6 +163,7 @@
  vpc_id: "{{ aws_vpc_id | default(omit) }}"
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  purge_rules: no
  purge_rules_egress: no
  rules:
@@ -184,6 +191,7 @@
  vpc_id: "{{ aws_vpc_id | default(omit) }}"
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  purge_rules: no
  purge_rules_egress: no
  rules:

diff --git a/playbooks/roles/genesis-amazon/tasks/main.yml b/playbooks/roles/genesis-amazon/tasks/main.yml
@@ -13,6 +13,7 @@
  state: absent
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  region: "{{ aws_region }}"
  wait: yes
 
@@ -22,13 +23,15 @@
  key_material: "{{ ssh_key.stdout }}"
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  region: "{{ aws_region }}"
  wait: yes
 
 - name: Determine which AMI to use
  ec2_ami_facts:
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  owners: "{{ aws_ami_owner }}"
  region: "{{ aws_region }}"
  filters:
@@ -39,6 +42,7 @@
  ec2:
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  instance_type: "{{ aws_instance_type }}"
  image: "{{ ami.images|sort(reverse=True,attribute='name')|map(attribute='image_id')|first }}"
  region: "{{ aws_region }}"
@@ -58,6 +62,7 @@
  state: present
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  region: "{{ aws_region }}"
  namespace: "AWS/EC2"
  metric: StatusCheckFailed_System
@@ -83,6 +88,7 @@
  ec2_eip:
  aws_access_key: "{{ aws_access_key }}"
  aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ aws_session_token }}"
  region: "{{ aws_region }}"
  device_id: "{{ streisand_server.instances[0].id }}"
  in_vpc: "{{ aws_vpc_id is defined and aws_vpc_id != '' }}"