Practitioner Level

Renewing IAM Access Keys with Ansible

Pricing
15 minutes
  • 2 Learning Objectives

About this Hands-on Lab

Rotating AWS access keys is an important part of an overall security strategy. Ansible can help us manage this process. In this exercise, we will see how to work with AWS IAM user keys using Ansible.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create `/home/ansible/keyUpdate.yml` and Add an Ansible Play that Removes the Old Access Keys for the IAM User `testuser` and Creates a New Set, Stored in `/home/ansible/newkey.txt`

After logging into the EC2 instance, run su - ansible to become the ansible user. The password is the same as it is for cloud_user.

  • Create the playbook and edit it such that it resembles the following:

    - hosts: localhost
gather_facts: no
vars_files:
  - keys.yml
tasks:
  - name: Get access key
    iam:
      aws_access_key: "{{ AWS_ACCESS_KEY_ID }}"
      aws_secret_key: "{{ AWS_SECRET_ACCESS_KEY }}"
      region: "{{ AWS_REGION}}"
      iam_type: user
      name: testuser
      state: present
    register: iam_info

  - name: Remove original key
    iam:
      aws_access_key: "{{ AWS_ACCESS_KEY_ID }}"
      aws_secret_key: "{{ AWS_SECRET_ACCESS_KEY }}"
      region: "{{ AWS_REGION}}"
      iam_type: user
      name: testuser
      state: update
      access_key_ids: "{{ iam_info.user_meta.access_keys[0].access_key_id }}"
      access_key_state: remove

  - name: Create new key
    iam:
      aws_access_key: "{{ AWS_ACCESS_KEY_ID }}"
      aws_secret_key: "{{ AWS_SECRET_ACCESS_KEY }}"
      region: "{{ AWS_REGION}}"
      iam_type: user
      name: testuser
      state: update
      access_key_state: create
    register: new_key

  - name: Store new access key information
    lineinfile:
      create: yes
      path: /home/ansible/newkey.txt
      mode: 0600
      line: "{{ new_key.created_keys[0].access_key_id }}"

  - name: Store new secret key information
    lineinfile:
      path: /home/ansible/newkey.txt
      line: "{{ new_key.created_keys[0].secret_access_key }}"
Run the `/home/ansible/keyUpdate.yml` Playbook to Perform the Required Tasks
  • Run the following command:
    • ansible-playbook /home/ansible/keyUpdate.yml
Contact SalesSee Pricing

Additional Resources

Our boss heard about another company's AWS environment being compromised after IAM user credentials were stolen. In order to protect our company's AWS environment, our boss has tasked us with creating automation that updates IAM keys for a provided user. The company is heavily invested in Ansible, so we have been asked to create the automation using Ansible.

We have been provided an Ansible Control node and a sandbox AWS environment.

Start work on the Ansible Control node:

  • Create the playbook /home/ansible/keyUpdate.yml to perform the following tasks:
    • Look up the current IAM access key for the testuser IAM user.
    • Remove the old access id key and secret access key.
    • Create new keys for the testuser IAM user.
    • Write the new keys to /home/ansible/newkey.txt.
  • Run the playbook /home/ansible/keyUpdate.yml.

The Ansible control node has been configured and already has Ansible installed. The control node also has a system user named ansible configured with SSH access keys and necessary system privileges.

An IAM user ansible has been created on the provided AWS sandbox account. The access keys for the ansible IAM user are stored in /home/ansible/keys.sh and /home/ansible/keys.yml for whichever authentication method we prefer. The ansible IAM user has appropriate permissions to perform the required task.

The default Ansible inventory has been configured to include the Ansible control host as localhost.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization