External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-06 03:01:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

Allow EC2 inventory sources to omit a credential in order to use IAM roles. Implements https://trello.com/c/aBMF95eF

Browse Source
This commit is contained in:
Chris Church
2014-12-17 01:50:25 -05:00
parent 4ee092152b
commit ee97e83b2c
3 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
awx/main/models/inventory.py
View File

@@ -976,7 +976,10 @@ class InventorySourceOptions(BaseModel):
'Cloud-based inventory sources (such as %s) require ' 'Cloud-based inventory sources (such as %s) require '
'credentials for the matching cloud service.' % self.source 'credentials for the matching cloud service.' % self.source
) )
elif self.source in CLOUD_PROVIDERS: # Allow an EC2 source to omit the credential. If Tower is running on
# an EC2 instance with an IAM Role assigned, boto will use credentials
# from the instance metadata instead of those explicitly provided.
elif self.source in CLOUD_PROVIDERS and self.source != 'ec2':
raise ValidationError('Credential is required for a cloud source') raise ValidationError('Credential is required for a cloud source')
return cred return cred

5
awx/main/tasks.py
View File

@@ -981,8 +981,9 @@ class RunInventoryUpdate(BaseTask):
# sync with those in Ansible core at all times. # sync with those in Ansible core at all times.
passwords = kwargs.get('passwords', {}) passwords = kwargs.get('passwords', {})
if inventory_update.source == 'ec2': if inventory_update.source == 'ec2':
env['AWS_ACCESS_KEY_ID'] = passwords.get('source_username', '') if passwords.get('source_username', '') and passwords.get('source_password', ''):
env['AWS_SECRET_ACCESS_KEY'] = passwords.get('source_password', '') env['AWS_ACCESS_KEY_ID'] = passwords['source_username']
env['AWS_SECRET_ACCESS_KEY'] = passwords['source_password']
env['EC2_INI_PATH'] = kwargs.get('private_data_file', '') env['EC2_INI_PATH'] = kwargs.get('private_data_file', '')
elif inventory_update.source == 'rax': elif inventory_update.source == 'rax':
env['RAX_CREDS_FILE'] = kwargs.get('private_data_file', '') env['RAX_CREDS_FILE'] = kwargs.get('private_data_file', '')

6
awx/main/tests/inventory.py
View File

@@ -1286,6 +1286,12 @@ class InventoryUpdatesTest(BaseTransactionTest):
with self.current_user(self.super_django_user): with self.current_user(self.super_django_user):
response = self.put(inv_src_url1, inv_src_data, expect=200) response = self.put(inv_src_url1, inv_src_data, expect=200)
self.assertEqual(response['source_regions'], '') self.assertEqual(response['source_regions'], '')
# EC2 sources should allow an empty credential (to support IAM roles).
inv_src_data['credential'] = None
with self.current_user(self.super_django_user):
response = self.put(inv_src_url1, inv_src_data, expect=200)
self.assertEqual(response['credential'], None)
inv_src_data['credential'] = aws_cred_id
# Null for instance filters and group_by should be converted to empty # Null for instance filters and group_by should be converted to empty
# string. # string.
inv_src_data['instance_filters'] = None inv_src_data['instance_filters'] = None