- boto3 initializes a session using the specified profile, for which it assumes a role as configured in your
~/.aws/config
- Python script with above session initialization prints out shell-compatible environment variables of the temporary credentials
- Wrapper script sets these a la eval
- By the time Ansible runs, the
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
andAWS_SECURITY_TOKEN
(for boto2) /AWS_SESSION_TOKEN
(for boto3) are all set, and are consumed by boto2 in the inventory script and other boto2-based modules
- This uses a custom variable
AWS_STS_PROFILE
because setting plain ol'AWS_PROFILE
makes boto2 barf when said profile is configured with arole_arn
- See ansible/ansible#25718 for background
Just want to leave a comment here, that is is awesome! The linked Github issue was bugging me for a while, and this workaround is on point!