Configuring multiple AWS Accounts for Ansible ec2 dynamic inventory

Question

We have five AWS accounts and an IAM user for programmatic access is created in the organizational account. Each of the child accounts have an IAM role with same name. Trust relationship is setup between the user and roles from these accounts. How do I switch between accounts for ec2 dynamic inventory configuration??

Config File - ec2.ini

iam_role = arn:aws:iam::xxxx-xxxx-xxxx:role/RoleName

I have multiple ec2.ini files in different directories.

../env/
├── account -1
│   ├── ec2.ini
│   └── ec2.py
├── account-2
│   ├── ec2.ini
│   └── ec2.py
├── account-3
│   ├── ec2.ini
│   └── ec2.py
└── account-4
    ├── ec2.ini
    └── ec2.py

Ansible Command

ansible-playbook -i ../env/account-x/ec2.py playbook.yml

Is there a process to switch between accounts. My AWS credentials are stored in shared-credentials file.

While I don't directly know the answer to your question, be careful using the syntax iam::xxx-xxxx- because to the best of my knowledge AWS does not allow dashes in the account number section of the ARN — mdaniel
There are no hyphens in the actual arn. Its just for understanding. — Anurag

Ashex Ashex · Accepted Answer · 2020-02-10T20:12:33

You can try passing it the profile name before the command:

AWS_PROFILE=account-a ansible-playbook -i ../env/account-x/ec2.py playbook.yml

If role assumption doesn't work then you may need to put together a small script that generates temporary credentials and set the credentials as environmental variables before calling ansible.

Configuring multiple AWS Accounts for Ansible ec2 dynamic inventory

1 Answers