Support federated users for aws_ec2 inventory plugin

[srees]

Summary

The aws_ec2 inventory plugin will not authenticate my federated user account regardless of placing credentials directly in the aws_ec2.yaml file or in ~/.aws/credentials or in environment variables.

Since it is possible to retrieve info about all instances still, I'm forced to go that route and scrape the IP addresses out with another script. It would be nice if the available plugin worked for this situation.

Issue Type

Feature Idea

Component Name

aws_ec2 inventory

Additional Information

Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct

[srees]

Note as a federated user in an educational account, I am unable to setup IAM users and keys and depend fully on temporary access credentials.

[tremble]

@srees Our integration tests are actually based upon the same type of temporary credentials as are used for federated access. So this should already be functioning.

The important thing to remember, that I've generally seen go wrong, is the need to add not just the aws_access_key_id and aws_secret_access_key, but also aws_security_token. An example can be seen in https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/inventory_aws_ec2/templates/inventory.yml.j2

The simplest way to use credentials from ~/.aws/credentials is by setting boto_profile https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html.

The third option I sometimes use is Instance profiles attached to the VM used as the controller (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)