Add _get_boto_client and STS token management. #25
Conversation
|
Pinging the the plugin authors: @psharkey @hanumantharaomvl @gau1991 :) |
There was a problem hiding this comment.
Thanks for taking the time to submit this patch.
I think that we should be able to reuse some of the existing helpers rather than building something custom. Untortunately I'm not at all familiar with connection plugins. Hopefully @jillr will be able to add their 2-cents.
ansibullbot
added
affects_2.10
community_review
connection
|
Is there any update on when we might expect this change to be merged into stable? Thanks for the PR though - saved me some time as i've just come across this issue myself! If you need any assistance verifying please let me know! I have made a copy of this code and have been testing it in AWX - everything works as expected and the session token can be consumed from an external assumerole |
There was a problem hiding this comment.
Actually, two minor documentation things:
- Please add a changelog fragment https://docs.ansible.com/ansible/latest/community/development_process.html#changelogs-how-to
- We need a
version_addedentry on the new options.
Sorry things stalled out here for a while
Co-authored-by: Mark Chappell <[email protected]>
|
Cool, i'll squash the commits, add the changelog fragment and update the pr, thanks. |
|
I made a mess with the pull requests, the correct one is #218 sorry about that. |
…le-collections#25) * Add hostname options concatenation in aws_ec2 * Add changelog fragement * Add integration tests * Rename template file * Apply suggestions from @goneri's code review * Apply new suggestions from @goneri's code review * Ignore if prefix is empty * Remove tag:name error * Apply @goneri's patch
SUMMARY
Fixes #24
Add the following parameters to aws_ssm.py connection plugin:
ISSUE TYPE
COMPONENT NAME
This implements some basic STS token management, that can be passed as parameters to the task when the aws_ssm connection plugin is involved, the parameters are scoped to the plugin namespace.
ADDITIONAL INFORMATION
If you have a role that you allowed to assume in a target account, you would need to assume such role in the target account before invoking the task; this example comes from an invocation by using ansible APIs, where even assuming the role in the target account, the connection plugin was still executing under the controller-node account session.
By implementing the changes in this PR I am able to pass an STS token as a parameter to the task, letting it execute under the target account context.
This change also allows for backward compatibility as if nothing is specified (no OS environment variables, no parameters) the boto3 client will automatically select the
defaultprofile configured on the controller.