2

I am writing an ansible playbook to rotate IAM access keys. It runs on my localhost to create a new IAM Access Key on AWS. I want to push that key to multiple other hosts' ~/.aws/credentials files.

---
- name: Roll IAM access keys
  hosts: localhost
  connection: local
  gather_facts: false
  strategy: free
  roles:
    - iam-rotation

In the iam-rotation role, I have something like this:

- name: Create new Access Key
  iam:
    iam_type: user
    name: "{{ item }}"
    state: present
    access_key_state: create
    key_count: 2
  with_items:
    - ansible-test-user
  register: aws_user

- set_fact:
    aws_user_name: "{{ aws_user.results.0.user_name }}"
    created_keys_count: "{{ aws_user.results.0.created_keys | length }}"
    aws_user_keys: "{{ aws_user.results[0]['keys'] }}"

I want to use push the newly created access keys out to jenkins builders. How would I use the list of hosts from with_items in the task? The debug task is just a placeholder.

# Deploy to all Jenkins builders
- name: Deploy new keys to jenkins builders
  debug:
      msg: "Deploying key to host {{item}}"
  with_items: 
    - "{{ groups.jenkins_builders }}"

Hosts file that includes the list of hosts I want to apply to

[jenkins_builders]
builder1.example.org
builder2.example.org
builder3.example.org

I am executing the playbook on localhost. But within the playbook I want one task to execute on remote hosts which I'm getting from the hosts file. The question was...

How would I use the list of hosts from with_items in the task?

TreverW
  • 440
  • 7
  • 16
  • What is the question? ・ What does it mean: "*the list of hosts from `with_items`*"? `with_items` gives you a list of hosts? ・ Why did you post the playbook and the role tasks if you were interested in something "from" `with_items`? ・ Why `jenkins_slaves` appears only once in the post, if this is what you ask about? – techraf Feb 23 '18 at 20:50
  • I am sufficiently humiliated and berated. I had forgotten to add the host file. Thanks for the gentle reminder. – TreverW Feb 23 '18 at 22:28
  • I think I asked a few more questions... Regarding how you execute a play on `jenkins_builders` host group, you do it with `hosts: jenkins_builders` declaration at the top of the play. It should be the first thing to know about Ansible, because that's the most basic requirement (for a play to have `hosts` declaration). ー> What is the question here? – techraf Feb 23 '18 at 22:38

2 Answers2

3

Separate the tasks into two roles. Then execute the first role against localhost and the second one against jenkins_builders:

---
- name: Rotate IAM access keys
  hosts: localhost
  connection: local
  gather_facts: false
  strategy: free
  roles:
    - iam-rotation

- name: Push out IAM access keys
  hosts: jenkins_builders
  roles:
    - iam-propagation

Per AWS best practices recommendations, if you are running an application on an Amazon EC2 instance and the application needs access to AWS resources, you should use IAM roles for EC2 instead of keys: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

Christina A
  • 390
  • 1
  • 10
  • Thank you Christina. While the answer given by Deepu Kumar was what I was looking for, I think we should refactor our solution to use your recommendation. – TreverW Feb 27 '18 at 20:01
  • I am glad it was helpful. There is also a 3rd option to consider: use 1 role, execute the playbook against jenkins_builders and in the role, do local_action: on the tasks you want to execute against localhost. The reverse of what Deepu is suggesting, or the equivalent of delegate_to: localhost – Christina A Feb 27 '18 at 22:58
  • As I look more into using IAM roles and instance profiles, I realized that some Jenkins plugins explicitly require Access Key and Secret Key in their configurations (S3 publish plugin, Amazon SNS Notification plugin) and some of the pipeline steps we use take AWS Credentials. I'm able to update jenkins credentials through the Jenkins REST API. I'm trying to figure out how to update global plugin configurations such as the S3 plugin Access Key and Secret Key. – TreverW Feb 28 '18 at 22:46
2

You can use

delegate_to: servername

in the task module, it will run only on the particular

Pradeep Kumar H C
  • 556
  • 4
  • 7