Skip to content
/ ansible-oidc-aws-token-plugin Public

Retrieves temporary AWS session token based on id_token exchange via OIDC IDP for use with ansible.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tumbl3w33d/ansible-oidc-aws-token-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
aws_token_fetcher.py
aws_token_fetcher.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

ansible-oidc-aws-token-plugin

This is an ansible callback plugin which enriches the environment of a playbook run with variables used with ansible's AWS modules. That means you do not have to set them in any other way.

The AWS credentials used are temporary session tokens which can be retrieved from an AWS IAM identity provider which is connected to an (AWS-)external OIDC identity provider. This has only been tested with the one and only IDP – kanidm. 🦀

It can probably be modified to work with others.

⚠️ Disclaimer

It is important to highlight that this plugin is provided on an 'as-is' basis, without any form of express or implied warranty. Under no circumstances shall the authors be held accountable for any damages or liabilities arising from the utilization of this plugin. Users are advised to proceed at their own risk.

How to

  • create a public client OAuth2 configuration in your IDP (i.e., no client_secret involved)
  • create an IAM identity provider which is linked to your IDP
    • you will be asked to assign a role to the IAM identity provider
    • this role is the one that will be assumed by this authentication process
      • it has "web identity" configured as trusted entity
      • during creation, you point it to the IAM identity provider you just created
  • drop the plugin file into a path where ansible looks for plugins (by default that is callback_plugins in the project root, but you can configure others)
  • enable the plugin in your ansible.cfg (callbacks_enabled)
  • configure the plugin using environment variables
    • look for os.environ.get in the plugin code to know what you can configure

What can I expect to happen?

You start the playbook and a browser window/tab appears with the configured URL of your IDP. Once you authenticated, you immediately get redirected to a local port that has been opened on localhost. This is the receiver of the id_token.

The plugin will then take this id_token to the AWS API which validates it with your IDP and, if succesful, returns temporary AWS credentials which are then set as environment variables in your playbook run.

State of development

Probably has some rough edges but does the trick.

About

Retrieves temporary AWS session token based on id_token exchange via OIDC IDP for use with ansible.

Topics

plugin aws ansible openid-connect oidc idp ansible-plugin

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages