Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tumbl3w33d/ansible-oidc-aws-token-plugin

Retrieves temporary AWS session token based on id_token exchange via OIDC IDP for use with ansible.
https://github.com/tumbl3w33d/ansible-oidc-aws-token-plugin

ansible ansible-plugin aws idp oidc openid-connect plugin

Last synced: about 1 month ago
JSON representation

Retrieves temporary AWS session token based on id_token exchange via OIDC IDP for use with ansible.

Awesome Lists containing this project

README

        

# ansible-oidc-aws-token-plugin

This is an ansible callback plugin which enriches the environment of a playbook run with variables used with ansible's AWS modules. That means you do not have to set them in any other way.

The AWS credentials used are temporary session tokens which can be retrieved from an AWS IAM identity provider which is connected to an (AWS-)external OIDC identity provider. This has only been tested with the one and only IDP – [kanidm](https://github.com/kanidm/kanidm). 🦀

It can probably be modified to work with others.

## ⚠️ Disclaimer

It is important to highlight that this plugin is provided on an 'as-is' basis, without any form of express or implied warranty. Under no circumstances shall the authors be held accountable for any damages or liabilities arising from the utilization of this plugin. Users are advised to proceed at their own risk.

## How to

* create a public client OAuth2 configuration in your IDP (i.e., no client_secret involved)
* create an **IAM identity provider** which is linked to your IDP
* you will be asked to assign a role to the **IAM identity provider**
* this role is the one that will be assumed by this authentication process
* it has "**web identity**" configured as trusted entity
* during creation, you point it to the **IAM identity provider** you just created
* drop the plugin file into a path where ansible looks for plugins (by default that is `callback_plugins` in the project root, but you can configure others)
* enable the plugin in your `ansible.cfg` (`callbacks_enabled`)
* configure the plugin using environment variables
* look for `os.environ.get` in the plugin code to know what you can configure

## What can I expect to happen?

You start the playbook and a browser window/tab appears with the configured URL of your IDP. Once you authenticated, you immediately get redirected to a local port that has been opened on `localhost`. This is the receiver of the `id_token`.

The plugin will then take this `id_token` to the AWS API which validates it with your IDP and, if succesful, returns temporary AWS credentials which are then set as environment variables in your playbook run.

## State of development

Probably has some rough edges but does the trick.