I'm looking at setting up a deploy server within our VPC and am trying to use an IAM role instead of keys for Ansibles dynamic ec2.py
inventory script.
An answer at Can I use IAM Roles for Ansible says it is possible, however it does not indicate what permission are required.
I'm wondering if someone is able to provide some more details on what permissions are needed to be able to generate a dynamic inventory.
Edit: I've reviewed the docs and I think part of the solution is figuring out what permissions botos get_all_instances() needs.
Assuming the only inventory you want are EC2 based resources, then allowing the "ec2:Describe*" actions should be sufficient:
See Allow users to list the Amazon EC2 resources that belong to the AWS account
Identity & Access Management/Roles/Create New Role
ansible
because the instance with this role will run Ansible.AWS Service Roles
selectAmazon EC2
Power User Access
you will have a policy name and a policy document, one JSON string like this:Next Step/Create Role