Appendix B. Using IAM Roles for EC2 Credentials

If you’re going to run Ansible inside a VPC, you can take advantage of Amazon’s Identity and Access Management (IAM) roles so that you do not even need to set environment variables to pass your EC2 credentials to the instance. Amazon’s IAM roles let you define users and groups and control what those users and groups are permitted to do with EC2 (e.g., get information about your running instances, create instances, create images). You can also assign IAM roles to running instances, so you can effectively say, “This instance is allowed to start other instances.”

When you make requests against EC2 by using a client program that supports IAM roles, and an instance is granted permissions by an IAM role, the client will fetch the credentials from the EC2 instance metadata service and use those to make requests against the EC2 service end point.

You can create an IAM role through the Amazon Web Services (AWS) Management Console, or at the command line by using the AWS Command-Line Interface tool (AWS CLI).

AWS Management Console

Here’s how to use the AWS Management Console to create an IAM role that has Power User Access, meaning that it is permitted to do pretty much anything with AWS except modify IAM users and groups:

  1. Log in to the AWS Management Console.

  2. Search for and then click IAM.

  3. Click “Roles at the left.

  4. Click the Create New Role button.

  5. Give your role a name and then click Next Step. I like to use ansible as the name ...

Get Ansible: Up and Running, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.