How to set AWS access keys on a remote EC2 server via Ansible?

Question

I have the following playbook:

- hosts: localhost
  connection: local
  remote_user: test
  gather_facts: no

  vars_files:
    - files/aws_creds.yml
    - files/info.yml

  tasks:
    - name: Basic provisioning of EC2 instance
      ec2:
        assign_public_ip: no
        aws_access_key: "{{ aws_id }}"
        aws_secret_key: "{{ aws_key }}"
        region: "{{ aws_region }}"
        image: "{{ standard_ami }}"
        instance_type: "{{ free_instance }}"
        key_name: "{{ ssh_keyname }}"
        count: 3
        state: present
        group_id: "{{ secgroup_id }}"
        #vpc_subnet_id: "{{ private_subnet_id }}"
        wait: no
        #delete_on_termination: yes
        instance_tags:
          Name: Dawny33Template
      register: ec2



    - name: Add new instance to host group
      add_host:
        hostname: "{{ item.public_ip }}"
        groupname: launched
      with_items: "{{ ec2.instances }}"

    - name: Wait for SSH to come up
      wait_for:
        host: "{{ item.public_dns_name }}"
        port: 22
        delay: 60
        timeout: 320
        state: started
      with_items: "{{ ec2.instances }}"

    - name: Install dependencies
      yum:
        name=git
        state=present
      sudo: yes

    - name: Install Python libs
      easy_install:
        name: boto3
        state: latest
      sudo: yes

    - name: check out a git repository
      git: repo={{ repo_url }} dest=/home/ec2-user/AnsibleDir/GitRepo accept_hostkey=yes force=yes
      vars:
        repo_url: https://github.com/Dawny33/AnsibleExperiments
      become: yes


    - name: Go to the folder and execute command
      command: chmod 0755 /home/ec2-user/AnsibleDir/GitRepo/processing.py
      become: yes
      become_user: root

    - name: Set credentials
      shell: export AWS_ACCESS_KEY_ID=''
      become: yes
      become_user: root

    - name: Set credentials2
      shell: export AWS_SECRET_ACCESS_KEY=''
      become: yes
      become_user: root

    - name: Run Py script
      command: /home/ec2-user/AnsibleDir/GitRepo/processing.py {{ N }} {{ bucket_name }}
      become: yes
      become_user: root

    - name: Terminate instances that were previously launched
      connection: local
      become: false
      ec2:
        state: 'absent'
        instance_ids: '{{ ec2.instance_ids }}'
        region: '{{ aws_region }}'

In this, I checkout a git repo and run a py file, which uses boto.

So, how do I set up AWS credentials in the dynamically created EC2 instances? Is there an Ansible module for doing so?

PS: The shell modules for exporting the keys are not working. They are throwing the following error:

    "stderr": "sh: s3cmd: command not found\nTraceback (most recent call last):\n  File \"/home/ec2-user/AnsibleDir/GitRepo/processing.py\", line 48, in <module>\n    print get_details(N, str(bucket_name))\n  File \"/home/ec2-user/AnsibleDir/GitRepo/processing.py\", line 37, in get_details\n    for obj in bucket.objects.all():\n  File \"/usr/local/lib/python2.7/site-packages/boto3-1.4.4-py2.7.egg/boto3/resources/collection.py\", line 83, in __iter__\n    for page in self.pages():\n  File \"/usr/local/lib/python2.7/site-packages/boto3-1.4.4-py2.7.egg/boto3/resources/collection.py\", line 166, in pages\n    for page in pages:\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/paginate.py\", line 102, in __iter__\n    response = self._make_request(current_kwargs)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/paginate.py\", line 174, in _make_request\n    return self._method(**current_kwargs)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/client.py\", line 253, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/client.py\", line 530, in _make_api_call\n    operation_model, request_dict)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/endpoint.py\", line 141, in make_request\n    return self._send_request(request_dict, operation_model)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/endpoint.py\", line 166, in _send_request\n    request = self.create_request(request_dict, operation_model)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/endpoint.py\", line 150, in create_request\n    operation_name=operation_model.name)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/hooks.py\", line 227, in emit\n    return self._emit(event_name, kwargs)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/hooks.py\", line 210, in _emit\n    response = handler(**kwargs)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/signers.py\", line 90, in handler\n    return self.sign(operation_name, request)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/signers.py\", line 147, in sign\n    auth.add_auth(request)\n  File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/auth.py\", line 679, in add_auth\n    raise NoCredentialsError\nbotocore.exceptions.NoCredentialsError: Unable to locate credentials",
    "stdout": "",
    "stdout_lines": [],
    "warnings": []
}

The script is: https://github.com/Dawny33/AnsibleExperiments/blob/master/processing.py

Answer 1

You can do either of the following:

1) As suggested by @konstantin in the comment of your question you can export the keys as environment variables.

2) For AWS related deployments/AWS EC2 instances which require API keys, you could use the IAM instance roles which have the required access that your application needs.