markuman/sts.yml

## sts.yml
---
- hosts: localhost
  connection: local
  gather_facts: False

  module_defaults:
    group/aws:
      region: eu-central-1

  vars:
    PROFILE: bergholm
    AWS_PROFILE: eu-central-1
    DURATION: 36000 #10h
    ACCOUNTS:
      test: "123"
      prod: "456"

  vars_prompt:
    - name: ACCOUNT
      prompt: account you want to assume?
      private: no
      default: test
    - name: ROLE
      prompt: which iam role you want to assume
      private: no
      default: some_role
    - name: TOTP
      prompt: TOTP needed only for iam operations
      private: no
      default: ""

  tasks:
      - name: fetch MFA device info
        iam_mfa_device_info:
          profile: "{{ PROFILE }}"
        register: mfa_devices
        when: TOTP | length == 6

      - name: assume role
        sts_assume_role:
          profile: "{{ PROFILE }}"
          role_arn: "arn:aws:iam::{{ ACCOUNTS[ACCOUNT] }}:role/{{ ROLE }}"
          role_session_name: "mb_test"
          mfa_serial_number: "{{ mfa_devices.mfa_devices[0].serial_number }}"
          mfa_token: "{{ TOTP }}"
          duration_seconds: "{{ DURATION }}"
        register: assumed_role
        notify:
          - save access key
          - save secret key
          - save session token


  handlers:

    - name: save access key
      ini_file:
        path: ~/.aws/credentials
        section: "{{ ACCOUNT }}"
        option: aws_access_key_id
        value: "{{ assumed_role.sts_creds.access_key }}"
        mode: '0600'
        backup: yes

    - name: save secret key
      ini_file:
        path: ~/.aws/credentials
        section: "{{ ACCOUNT }}"
        option: aws_secret_access_key
        value: "{{ assumed_role.sts_creds.secret_key }}"
        mode: '0600'

    - name: save session token
      ini_file:
        path: ~/.aws/credentials
        section: "{{ ACCOUNT }}"
        option: aws_session_token
        value: "{{ assumed_role.sts_creds.session_token }}"
        mode: '0600'
	---
	- hosts: localhost
	connection: local
	gather_facts: False

	module_defaults:
	group/aws:
	region: eu-central-1

	vars:
	PROFILE: bergholm
	AWS_PROFILE: eu-central-1
	DURATION: 36000 #10h
	ACCOUNTS:
	test: "123"
	prod: "456"

	vars_prompt:
	- name: ACCOUNT
	prompt: account you want to assume?
	private: no
	default: test
	- name: ROLE
	prompt: which iam role you want to assume
	private: no
	default: some_role
	- name: TOTP
	prompt: TOTP needed only for iam operations
	private: no
	default: ""

	tasks:
	- name: fetch MFA device info
	iam_mfa_device_info:
	profile: "{{ PROFILE }}"
	register: mfa_devices
	when: TOTP \| length == 6

	- name: assume role
	sts_assume_role:
	profile: "{{ PROFILE }}"
	role_arn: "arn:aws:iam::{{ ACCOUNTS[ACCOUNT] }}:role/{{ ROLE }}"
	role_session_name: "mb_test"
	mfa_serial_number: "{{ mfa_devices.mfa_devices[0].serial_number }}"
	mfa_token: "{{ TOTP }}"
	duration_seconds: "{{ DURATION }}"
	register: assumed_role
	notify:
	- save access key
	- save secret key
	- save session token


	handlers:

	- name: save access key
	ini_file:
	path: ~/.aws/credentials
	section: "{{ ACCOUNT }}"
	option: aws_access_key_id
	value: "{{ assumed_role.sts_creds.access_key }}"
	mode: '0600'
	backup: yes

	- name: save secret key
	ini_file:
	path: ~/.aws/credentials
	section: "{{ ACCOUNT }}"
	option: aws_secret_access_key
	value: "{{ assumed_role.sts_creds.secret_key }}"
	mode: '0600'

	- name: save session token
	ini_file:
	path: ~/.aws/credentials
	section: "{{ ACCOUNT }}"
	option: aws_session_token
	value: "{{ assumed_role.sts_creds.session_token }}"
	mode: '0600'