Retrieves temporary AWS session token based on id_token exchange via OIDC IDP for use with ansible.
MIT License
This is an ansible callback plugin which enriches the environment of a playbook run with variables used with ansible's AWS modules. That means you do not have to set them in any other way.
The AWS credentials used are temporary session tokens which can be retrieved from an AWS IAM identity provider which is connected to an (AWS-)external OIDC identity provider. This has only been tested with the one and only IDP – kanidm. 🦀
It can probably be modified to work with others.
It is important to highlight that this plugin is provided on an 'as-is' basis, without any form of express or implied warranty. Under no circumstances shall the authors be held accountable for any damages or liabilities arising from the utilization of this plugin. Users are advised to proceed at their own risk.
callback_plugins
in the project root, but you can configure others)ansible.cfg
(callbacks_enabled
)os.environ.get
in the plugin code to know what you can configureYou start the playbook and a browser window/tab appears with the configured URL of your IDP. Once you authenticated, you immediately get redirected to a local port that has been opened on localhost
. This is the receiver of the id_token
.
The plugin will then take this id_token
to the AWS API which validates it with your IDP and, if succesful, returns temporary AWS credentials which are then set as environment variables in your playbook run.
Probably has some rough edges but does the trick.