Appendix C. Using IAM Roles for EC2 Credentials
If you’re going to run Ansible inside of a VPC, you can take advantage of Amazon’s Identity and Access Management (IAM) roles so that you do not even need to set environment variables to pass your EC2 credentials to the instance.
Amazon’s IAM roles let you define users and groups and control what those users and groups are permitted to do with EC2 (e.g., get information about your running instances, create instances, create images). You can also assign IAM roles to running instances, so you can effectively say: “This instance is allowed to start other instances.”
When you make requests against EC2 using a client program that supports IAM roles, and an instance is granted permissions by an IAM role, the client will fetch the credentials from the EC2 instance metadata service and use those to make requests against the EC2 service end point.
You can create an IAM role through the Amazon Web Services (AWS) management console, or at the command line using the AWS Command Line Interface tool, or AWS CLI.
AWS Management Console
Here’s how you would use the AWS management console to create an IAM role that has “Power User Access,” meaning that it is permitted to do pretty much anything with AWS except to modify IAM users and groups.
-
Log in to the AWS management console.
-
Click on “Identity & Access Management.”
-
Click on “Roles” at the left.
-
Click the “Create New Role” button.
-
Give your role a name. I like to use “ansible” as the ...
Get Ansible: Up and Running now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.