我正在尝试通过Packer执行ansible脚本以获取EFS事实。在我的packer.json中,我正在传递AWS_ACCESS_KEY_ID / KEY / TOKEN。如果我通过在代码中传递-sts_assume_role来单独执行,那么facts.yml可以正常工作。
按照@ error404的建议,我添加了sts_assume_role任务,并收到了有关该问题的更新日志。
tasks / facts.yml:-
# Get all RDS instances
---
- sts_assume_role:
region: "central"
role_arn: "arn:aws:iam::12345678919:role/jenkins"
role_session_name: "ansible-connect"
register: assumed_role
- name: Obtain all EFS facts
efs_facts:
aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
security_token: "{{ assumed_role.sts_creds.session_token }}"
region: "eu-central-1"
register: airflow_efs_facts
- debug:
var: airflow_efs_facts.ansible_facts.efs[0].filesystem_address
我的packer.json
{
"variables": {
"aws_region": "eu-central-1",
"kms_key_id": "{{env `KEY`}}",
"aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
"aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
"aws_session_token": "{{env `AWS_SESSION_TOKEN`}}",
"subnet_id": "{{env `SUBNET`}}",
"vpc_id": "{{env `VPC`}}"
},
"builders": [
{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"token": "{{user `aws_session_token`}}",
"region": "{{user `aws_region`}}",
"vpc_id": "{{user `vpc_id`}}",
"subnet_id": "{{user `subnet_id`}}",
"source_ami_filter": {
"filters": {
"name": "ec2-*",
"virtualization-type": "hvm",
"root-device-type": "ebs"
},
"owners": "self",
"most_recent": true
},
"encrypt_boot": "true",
"kms_key_id": "{{user `kms_key_id`}}",
"instance_type": "t2.large",
"ssh_username": "ec2-user",
"ami_block_device_mappings": [
{
"device_name": "/dev/xvda",
"volume_size": 20,
"volume_type": "gp2",
"delete_on_termination": true
}
],
"launch_block_device_mappings": [
{
"device_name": "/dev/xvda",
"volume_size": 20,
"volume_type": "gp2",
"delete_on_termination": true
}
],
"ami_description": "Master AMI to be used to build Server",
"ami_name": "master-{{isotime \"2006-01-02\"}}",
"tags": {
"Name": "master-baseline",
"ami_version": "{{isotime \"2006-01-02\"}}",
"ami_cis_benchmark_version": "1.0.0",
"ami_os": "amazon"
}
}
],
"provisioners": [
{
"inline": [
"sudo yum -y install bzip2 python-pip vim wget curl mlocate unzip git java-1.8.0-openjdk-devel java-1.8.0-openjdk jq",
"sudo updatedb",
"sudo pip install ansible",
"sudo yum -y install python3 python3-pip python3-devel python3-setuptools",
"sudo yum -y update"
],
"type": "shell"
},
{
"type": "ansible-local",
"playbook_file": "ansible/plays/install.yml",
"role_paths": [
"ansible/roles/master"
]
}
]
}
以下是错误消息:-
[0;32m amazon-ebs: TASK [roles/airflow-master : sts_assume_role] **********************************[0m
[0;32m amazon-ebs: [0;31mAn exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.NoCredentialsError: Unable to locate credentials[0m[0m
[0;32m amazon-ebs: [0;31mfatal: [127.0.0.1]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1560349713.84-28986519228608/AnsiballZ_sts_assume_role.py\", line 114, in <module>\n _ansiballz_main()\n File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1560349713.84-28986519228608/AnsiballZ_sts_assume_role.py\", line 106, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1560349713.84-28986519228608/AnsiballZ_sts_assume_role.py\", line 49, in invoke_module\n
答案 0 :(得分:0)
我在
packer.json内通过了AWS_ACCESS_KEY_ID / KEY / TOKEN
您只是将这些设置为Packer 用户变量。这仅意味着打包程序可以使用{{user `aws_access_key`}}在模板中访问它们。
解决此问题的一种好方法是创建一个授权访问EFS api并使用EC2 Instance Profile引用的iam_instance_profile。