Merge pull request #6095 from kwoodson/add_instance_profile_support

Automatic merge from submit-queue.

Instance profile support.

Purpose of this PR is to remove the AWS cloud-provider credentials from the node and use instance profiles during provisioning time.

1 files changed, 36 insertions, 0 deletions

diff --git a/roles/openshift_aws/tasks/iam_role.yml b/roles/openshift_aws/tasks/iam_role.yml
new file mode 100644
index 000000000..d9910d938
--- /dev/null
+++ b/roles/openshift_aws/tasks/iam_role.yml
@@ -0,0 +1,36 @@
+---
+#####
+# Instance profiles consist of two parts. The first part is creating a role
+# in which the instance has access and will use this role's permissions
+# to make API calls on his behalf.  This role requires a trust policy
+# which links a service (ec2) to the role.  This states that this role
+# has access to make call ec2 API calls.
+# See ../files/trustpolicy.json
+#
+# Currently openshift-node requires
+# access to the AWS API to call describeinstances.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1510519
+#####
+- name: Create an iam role
+  iam_role:
+    name: "{{ item.value.iam_role }}"
+    assume_role_policy_document: "{{ lookup('file','trustpolicy.json') }}"
+    state: "{{ openshift_aws_iam_role_state | default('present') }}"
+  when: item.value.iam_role is defined
+  with_dict: "{{ l_nodes_to_build }}"
+
+#####
+# The second part of this task file is linking the role to a policy
+# that specifies which calls the role can make to the ec2 API.
+# Currently all that is required is DescribeInstances.
+# See ../files/describeinstances.json
+#####
+- name: create an iam policy
+  iam_policy:
+    iam_type: role
+    iam_name: "{{ item.value.iam_role }}"
+    policy_json: "{{ item.value.policy_json }}"
+    policy_name: "{{ item.value.policy_name }}"
+    state: "{{ openshift_aws_iam_role_state | default('present') }}"
+  when: item.value.iam_role is defined
+  with_dict: "{{ l_nodes_to_build }}"