Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read AWS credentials from disk (#14382) #14460

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Read AWS credentials from disk (#14382) #14460

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
35 changes: 35 additions & 0 deletions roles/cloud-ec2/tasks/discover-credentials.yml
View file
Open in desktop
@@ -0,0 +1,35 @@
---
- name: "Find AWS profile and credentials file"
block:
- set_fact:
aws_credentials_path: "{{ lookup('env', 'HOME') }}/.aws/credentials"

- set_fact:
aws_credentials_path: "{{ lookup('env', 'AWS_SHARED_CREDENTIALS_FILE') }}"
when:
- lookup('env', 'AWS_SHARED_CREDENTIALS_FILE')|length > 0
- debug: var=aws_credentials_path

- set_fact:
aws_profile_id: "default"

- set_fact:
aws_profile_id: "{{ lookup('env', 'AWS_PROFILE') }}"
when:
- lookup('env', 'AWS_PROFILE')|length > 0

- name: "Look up AWS credentials"
block:
- set_fact:
aws_access_key: "{{ lookup('ini', 'aws_access_key_id', section=aws_profile_id, file=aws_credentials_path) }}"
ignore_errors: true
when:
- aws_access_key is undefined
- lookup('env', 'AWS_ACCESS_KEY_ID')|length <= 0

- set_fact:
aws_secret_key: "{{ lookup('ini', 'aws_secret_access_key', section=aws_profile_id, file=aws_credentials_path) }}"
ignore_errors: true
when:
- aws_secret_key is undefined
- lookup('env', 'AWS_SECRET_ACCESS_KEY')|length <= 0
3 changes: 3 additions & 0 deletions roles/cloud-ec2/tasks/main.yml
View file
Open in desktop
Expand Up @@ -2,6 +2,9 @@
- name: Build python virtual environment
import_tasks: venv.yml

- name: Include credential discovery
import_tasks: discover-credentials.yml

- name: Include prompts
import_tasks: prompts.yml

Expand Down
3 changes: 3 additions & 0 deletions tests/.aws/credentials
View file
Open in desktop
@@ -0,0 +1,3 @@
[default]
aws_access_key_id=example_key
aws_secret_access_key=example_secret
7 changes: 7 additions & 0 deletions tests/.aws/credentials2
View file
Open in desktop
@@ -0,0 +1,7 @@
[default]
aws_access_key_id=WRONG
aws_secret_access_key=WRONG

[profile1]
aws_access_key_id=example_key
aws_secret_access_key=example_secret
24 changes: 24 additions & 0 deletions tests/aws-credentials.sh
View file
Open in desktop
@@ -0,0 +1,24 @@
#!/usr/bin/env bash

# command line credentials should still work:
ansible-playbook tests/validate-aws-credentials.yml \
-e aws_access_key=example_key \
-e aws_secret_key=example_secret

# command line credentials should override config files:
ansible-playbook tests/validate-aws-credentials.yml \
-e aws_access_key=example_key \
-e aws_secret_key=example_secret

# In this case the config file is bad but the command line should win:
AWS_SHARED_CREDENTIALS_FILE="$PWD/tests/.aws/credentials2" \
ansible-playbook tests/validate-aws-credentials.yml \
-e aws_access_key=example_key \
-e aws_secret_key=example_secret

# should read from the config file in tests/.aws:
HOME="$PWD/tests" \
ansible-playbook tests/validate-aws-credentials.yml

AWS_SHARED_CREDENTIALS_FILE="$PWD/tests/.aws/credentials2" AWS_PROFILE=profile1 \
ansible-playbook tests/validate-aws-credentials.yml
7 changes: 7 additions & 0 deletions tests/validate-aws-credentials.yml
View file
Open in desktop
@@ -0,0 +1,7 @@
- name: test
hosts: localhost
tasks:
- include_tasks: ../roles/cloud-ec2/tasks/discover-credentials.yml
- assert: { that: "aws_access_key == 'example_key'" }
- assert: { that: "aws_secret_key == 'example_secret'" }