如何通過Ansible在遠程EC2服務器上設置AWS訪問密鑰？

Question

我有以下劇本：

- hosts: localhost 
    connection: local 
    remote_user: test 
    gather_facts: no 

    vars_files: 
    - files/aws_creds.yml 
    - files/info.yml 

    tasks: 
    - name: Basic provisioning of EC2 instance 
     ec2: 
     assign_public_ip: no 
     aws_access_key: "{{ aws_id }}" 
     aws_secret_key: "{{ aws_key }}" 
     region: "{{ aws_region }}" 
     image: "{{ standard_ami }}" 
     instance_type: "{{ free_instance }}" 
     key_name: "{{ ssh_keyname }}" 
     count: 3 
     state: present 
     group_id: "{{ secgroup_id }}" 
     #vpc_subnet_id: "{{ private_subnet_id }}" 
     wait: no 
     #delete_on_termination: yes 
     instance_tags: 
      Name: Dawny33Template 
     register: ec2 



    - name: Add new instance to host group 
     add_host: 
     hostname: "{{ item.public_ip }}" 
     groupname: launched 
     with_items: "{{ ec2.instances }}" 

    - name: Wait for SSH to come up 
     wait_for: 
     host: "{{ item.public_dns_name }}" 
     port: 22 
     delay: 60 
     timeout: 320 
     state: started 
     with_items: "{{ ec2.instances }}" 

    - name: Install dependencies 
     yum: 
     name=git 
     state=present 
     sudo: yes 

    - name: Install Python libs 
     easy_install: 
     name: boto3 
     state: latest 
     sudo: yes 

    - name: check out a git repository 
     git: repo={{ repo_url }} dest=/home/ec2-user/AnsibleDir/GitRepo accept_hostkey=yes force=yes 
     vars: 
     repo_url: https://github.com/Dawny33/AnsibleExperiments 
     become: yes 


    - name: Go to the folder and execute command 
     command: chmod 0755 /home/ec2-user/AnsibleDir/GitRepo/processing.py 
     become: yes 
     become_user: root 

    - name: Set credentials 
     shell: export AWS_ACCESS_KEY_ID='' 
     become: yes 
     become_user: root 

    - name: Set credentials2 
     shell: export AWS_SECRET_ACCESS_KEY='' 
     become: yes 
     become_user: root 

    - name: Run Py script 
     command: /home/ec2-user/AnsibleDir/GitRepo/processing.py {{ N }} {{ bucket_name }} 
     become: yes 
     become_user: root 

    - name: Terminate instances that were previously launched 
     connection: local 
     become: false 
     ec2: 
     state: 'absent' 
     instance_ids: '{{ ec2.instance_ids }}' 
     region: '{{ aws_region }}' 

在此，我籤一個git回購和運行PY文件，它使用博託。

那麼，如何在動態創建的EC2實例中設置AWS憑證呢？有這樣的Ansible模塊嗎？

PS：用於導出密鑰的shell模塊不起作用。他們拋出了以下錯誤：

"stderr": "sh: s3cmd: command not found\nTraceback (most recent call last):\n File \"/home/ec2-user/AnsibleDir/GitRepo/processing.py\", line 48, in <module>\n print get_details(N, str(bucket_name))\n File \"/home/ec2-user/AnsibleDir/GitRepo/processing.py\", line 37, in get_details\n for obj in bucket.objects.all():\n File \"/usr/local/lib/python2.7/site-packages/boto3-1.4.4-py2.7.egg/boto3/resources/collection.py\", line 83, in __iter__\n for page in self.pages():\n File \"/usr/local/lib/python2.7/site-packages/boto3-1.4.4-py2.7.egg/boto3/resources/collection.py\", line 166, in pages\n for page in pages:\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/paginate.py\", line 102, in __iter__\n response = self._make_request(current_kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/paginate.py\", line 174, in _make_request\n return self._method(**current_kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/client.py\", line 253, in _api_call\n return self._make_api_call(operation_name, kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/client.py\", line 530, in _make_api_call\n operation_model, request_dict)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/endpoint.py\", line 141, in make_request\n return self._send_request(request_dict, operation_model)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/endpoint.py\", line 166, in _send_request\n request = self.create_request(request_dict, operation_model)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/endpoint.py\", line 150, in create_request\n operation_name=operation_model.name)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/hooks.py\", line 227, in emit\n return self._emit(event_name, kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/hooks.py\", line 210, in _emit\n response = handler(**kwargs)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/signers.py\", line 90, in handler\n return self.sign(operation_name, request)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/signers.py\", line 147, in sign\n auth.add_auth(request)\n File \"/usr/local/lib/python2.7/site-packages/botocore-1.5.7-py2.7.egg/botocore/auth.py\", line 679, in add_auth\n raise NoCredentialsError\nbotocore.exceptions.NoCredentialsError: Unable to locate credentials", 
    "stdout": "", 
    "stdout_lines": [], 
    "warnings": [] 
} 

的腳本是：https://github.com/Dawny33/AnsibleExperiments/blob/master/processing.py

Answer 1

你可以做以下任一操作：

1）如你的問題，你可以的意見建議由@konstantin將密鑰導出爲環境變量。

2）對於需要API密鑰的AWS相關部署/ AWS EC2實例，可以使用IAM instance roles，它們具有您的應用程序所需的訪問權限。