Ansible EC2 Dynamic inventory minimum IAM policies

10
votes

Has someone figured out the minimum IAM policies required to run the EC2 dynamic inventory script (ec2.py) on ansible via an IAM role?

So far, I haven't seen a concrete reference in this matter other than specifying credentials for boto library in the official documentation of ansible, however, on production environments, I rarely use key pairs for access to AWS services from EC2 instances, instead I have embraced the use of IAM roles for that case scenario.

I have tried policies allowing ec2:Describe* actions but it doesn't seem to be enough for the script as it always exits with Unauthorized operation.

Could you help me out?

4
amazon-ec2ansibleamazon-iamansible-inventory

4 Answers

6
votes

I just created a demo policy, created a new role and used that new policy, and then created a new instance that used that new role.

Demo Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Demo201505282045",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "*"
        }
    ]
}

I had to add route53 as I use the route53 option (route53 = true in the ec2.ini) but other than that it worked fine.

If you are still having problems, try running ec2.py from the commandline (./ec2.py) as that does usually give reasonable error messages when run directly.

9
votes

The script also looks at RDS and elasticache. They can be disabled in ec2.ini, but if you don't, the following policy seems to be enough to run the dynamic inventory.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Demo201505282045",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "rds:Describe*",
                "elasticache:Describe*"
            ],
            "Resource": "*"
        }
    ]
}
1
votes

The script checks also for Route53, RDS and ElastiCache configurations, so it will require access to ec2:Describe*, route53:ListHostedZones, route53:ListResourceRecordSets, rds:Describe* and elasticache:Describe*.

Still, if you don't use all these services you can selectively disable their check in the ec2.ini file by setting to False the values of the associated group_by_* variables: this will skip the fetching of those configurations, both allowing you to minimize the actions allowed for the role (eg: ec2:Describe* only) and reducing the overall query time of the script.

0
votes

These are the permissions that I identified as required by ec2.py after checking CloudTrail:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticache:DescribeReplicationGroups",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "rds:DescribeDBInstances",
                "elasticache:DescribeCacheClusters"
            ],
            "Resource": "*"
        }
    ]
}