diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2017-11-14 21:22:19 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-11-14 21:22:19 -0800 |
commit | ec564267f4a25036c92a71be481cfd9e4c03537a (patch) | |
tree | 0e46cd945ae5ddf1c0fe5ef3411fae10da18c314 /roles/openshift_aws/tasks/iam_role.yml | |
parent | c5afbd8a7643f323f02c3bb1c04cf7f40444995c (diff) | |
parent | 2a5352ee4fc3962dabd580f7807adb489e8da965 (diff) | |
download | openshift-ec564267f4a25036c92a71be481cfd9e4c03537a.tar.gz openshift-ec564267f4a25036c92a71be481cfd9e4c03537a.tar.bz2 openshift-ec564267f4a25036c92a71be481cfd9e4c03537a.tar.xz openshift-ec564267f4a25036c92a71be481cfd9e4c03537a.zip |
Merge pull request #6095 from kwoodson/add_instance_profile_support
Automatic merge from submit-queue.
Instance profile support.
Purpose of this PR is to remove the AWS cloud-provider credentials from the node and use instance profiles during provisioning time.
Diffstat (limited to 'roles/openshift_aws/tasks/iam_role.yml')
-rw-r--r-- | roles/openshift_aws/tasks/iam_role.yml | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/roles/openshift_aws/tasks/iam_role.yml b/roles/openshift_aws/tasks/iam_role.yml new file mode 100644 index 000000000..d9910d938 --- /dev/null +++ b/roles/openshift_aws/tasks/iam_role.yml @@ -0,0 +1,36 @@ +--- +##### +# Instance profiles consist of two parts. The first part is creating a role +# in which the instance has access and will use this role's permissions +# to make API calls on his behalf. This role requires a trust policy +# which links a service (ec2) to the role. This states that this role +# has access to make call ec2 API calls. +# See ../files/trustpolicy.json +# +# Currently openshift-node requires +# access to the AWS API to call describeinstances. +# https://bugzilla.redhat.com/show_bug.cgi?id=1510519 +##### +- name: Create an iam role + iam_role: + name: "{{ item.value.iam_role }}" + assume_role_policy_document: "{{ lookup('file','trustpolicy.json') }}" + state: "{{ openshift_aws_iam_role_state | default('present') }}" + when: item.value.iam_role is defined + with_dict: "{{ l_nodes_to_build }}" + +##### +# The second part of this task file is linking the role to a policy +# that specifies which calls the role can make to the ec2 API. +# Currently all that is required is DescribeInstances. +# See ../files/describeinstances.json +##### +- name: create an iam policy + iam_policy: + iam_type: role + iam_name: "{{ item.value.iam_role }}" + policy_json: "{{ item.value.policy_json }}" + policy_name: "{{ item.value.policy_name }}" + state: "{{ openshift_aws_iam_role_state | default('present') }}" + when: item.value.iam_role is defined + with_dict: "{{ l_nodes_to_build }}" |