Ansible EC2 Dynamic inventory minimum IAM policies

Question

Has someone figured out the minimum IAM policies required to run the EC2 dynamic inventory script (ec2.py) on ansible via an IAM role?

So far, I haven't seen a concrete reference in this matter other than specifying credentials for boto library in the official documentation of ansible, however, on production environments, I rarely use key pairs for access to AWS services from EC2 instances, instead I have embraced the use of IAM roles for that case scenario.

I have tried policies allowing ec2:Describe* actions but it doesn't seem to be enough for the script as it always exits with Unauthorized operation.

Could you help me out?

Answer 1

I just created a demo policy, created a new role and used that new policy, and then created a new instance that used that new role.

Demo Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Demo201505282045",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "*"
        }
    ]
}

I had to add route53 as I use the route53 option (route53 = true in the ec2.ini) but other than that it worked fine.

If you are still having problems, try running ec2.py from the commandline (./ec2.py) as that does usually give reasonable error messages when run directly.