Allow EC2 inventory sources to omit a credential in order to use IAM roles. Implements https://trello.com/c/aBMF95eF

2026-01-13 11:00:03 -03:30 · 2014-12-17 01:50:25 -05:00 · 2014-12-17 01:50:25 -05:00 · ee97e83b2c
commit ee97e83b2c
parent 4ee092152b
3 changed files with 13 additions and 3 deletions
--- a/awx/main/models/inventory.py
+++ b/awx/main/models/inventory.py
@ -976,7 +976,10 @@ class InventorySourceOptions(BaseModel):
                    'Cloud-based inventory sources (such as %s) require '
                    'credentials for the matching cloud service.' % self.source
                )
-        elif self.source in CLOUD_PROVIDERS:
+        # Allow an EC2 source to omit the credential.  If Tower is running on
+        # an EC2 instance with an IAM Role assigned, boto will use credentials
+        # from the instance metadata instead of those explicitly provided.
+        elif self.source in CLOUD_PROVIDERS and self.source != 'ec2':
            raise ValidationError('Credential is required for a cloud source')
        return cred

--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@ -981,8 +981,9 @@ class RunInventoryUpdate(BaseTask):
        # sync with those in Ansible core at all times.
        passwords = kwargs.get('passwords', {})
        if inventory_update.source == 'ec2':
-            env['AWS_ACCESS_KEY_ID'] = passwords.get('source_username', '')
-            env['AWS_SECRET_ACCESS_KEY'] = passwords.get('source_password', '')
+            if passwords.get('source_username', '') and passwords.get('source_password', ''):
+                env['AWS_ACCESS_KEY_ID'] = passwords['source_username']
+                env['AWS_SECRET_ACCESS_KEY'] = passwords['source_password']
            env['EC2_INI_PATH'] = kwargs.get('private_data_file', '')
        elif inventory_update.source == 'rax':
            env['RAX_CREDS_FILE'] = kwargs.get('private_data_file', '')
--- a/awx/main/tests/inventory.py
+++ b/awx/main/tests/inventory.py
@ -1286,6 +1286,12 @@ class InventoryUpdatesTest(BaseTransactionTest):
        with self.current_user(self.super_django_user):
            response = self.put(inv_src_url1, inv_src_data, expect=200)
            self.assertEqual(response['source_regions'], '')
+        # EC2 sources should allow an empty credential (to support IAM roles).
+        inv_src_data['credential'] = None
+        with self.current_user(self.super_django_user):
+            response = self.put(inv_src_url1, inv_src_data, expect=200)
+            self.assertEqual(response['credential'], None)
+        inv_src_data['credential'] = aws_cred_id
        # Null for instance filters and group_by should be converted to empty
        # string.
        inv_src_data['instance_filters'] = None