Ansible - dynamic aws inventory: read vault variable for ec2.py key and secret

Well you could write a simple task to dump the keys from vault into the boto3 configuration.

---
- name: Ensure AWS credentials configuration is present.
  template:
    src: credentials.j2
    dest: "/home/{{ ansible_user }}/.aws/credentials"

credentials.j2

[default]
aws_access_key_id = {{ aws_access_key_id }}
aws_secret_access_key = {{ aws_secret_access_key }}

Where aws_access_key_id and aws_secret_access_key could be stored in a vault.

The task would than need to be run against the Ansible control host (the host that executes ansible-playbook).

The keys would than be unencrypted on the Ansible control host. IMHO (I could be wrong here) you need to supply plain AWS keys to boto either via environment variables (export command) or via boto configuration.

Ansible makes API calls to AWS via boto. Boto is not part of Ansible. So there is no native way to use parameters defined in Ansible in boto. That functionality would have to be part of boto.

As you mentioned you're running Ansible on a EC2 instance you should actually don't use credentials but roles attached to the EC2 instance: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

The idea is that your instance itself is able to get temporary credentials and can execute the necessary commands which are defined in this role. As you never store any credentials anywhere this is the most secure way to work with the AWS API from an EC2 instance. As Ansible relies on boto this will work out of the box - you just need to create a role which has all the necessary IAM permissions and attach it to your instance you're running Ansible on. After that your dynamic inventory will work without needing any additional credentials.