amazon.aws.iam_role: EntityAlreadyExists after 7.3.0 collection

[marcelmamula]

Summary

I have been using 7.3.0 collection for some time, but it stopped working with upgrade to 7.5.0. amazon.aws.iam_role is no longer able to ignore already existing entries and it fails with

fatal: [ae1ascs -> localhost]: FAILED! => {
    "boto3_version": "1.34.97",
    "botocore_version": "1.34.97",
    "changed": false,
    "error": {
        "code": "EntityAlreadyExists",
        "message": "Instance Profile HA-Role-Pacemaker already exists.",
        "type": "Sender"

Traceback (most recent call last):
  File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_role.py", line 685, in main
    create_or_update_role(module, client)
  File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_role.py", line 496, in create_or_update_role
    changed |= create_instance_profiles(client, check_mode, role_name, path)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_role.py", line 523, in create_instance_profiles
    create_iam_instance_profile(client, role_name, path, {})
  File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/errors.py", line 46, in handler
    raise cls._CUSTOM_EXCEPTION(message=f"Failed to {description}", exception=e) from e
ansible_collections.amazon.aws.plugins.module_utils.iam.AnsibleIAMError: Failed to create instance profile: An error occurred (EntityAlreadyExists) when calling the CreateInstanceProfile operation: Instance Profile HA-Role-Pacemaker already exists.

Issue Type

Bug Report

Component Name

amazon.aws.iam_role

Ansible Version

$ ansible --version
ansible [core 2.16.6]
  config file = None
  configured module search path = ['/home/mmamula/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /home/mmamula/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.9 (main, Apr 08 2024, 06:18:15) [GCC] (/usr/bin/python3.11)
  jinja version = 3.1.3
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
Collection                               Version
---------------------------------------- -------
amazon.aws                               7.5.0
ansible.netcommon                        5.3.0
ansible.posix                            1.5.4
ansible.utils                            2.12.0
ansible.windows                          2.3.0
arista.eos                               6.2.2
awx.awx                                  23.9.0
azure.azcollection                       1.19.0
check_point.mgmt                         5.2.3
chocolatey.chocolatey                    1.5.1
cisco.aci                                2.9.0
cisco.asa                                4.0.3
cisco.dnac                               6.13.3
cisco.intersight                         2.0.8
cisco.ios                                5.3.0
cisco.iosxr                              6.1.1
cisco.ise                                2.8.1
cisco.meraki                             2.18.0
cisco.mso                                2.6.0
cisco.nxos                               5.3.0
cisco.ucs                                1.10.0
cloud.common                             2.1.4
cloudscale_ch.cloud                      2.3.1
community.aws                            7.2.0
community.azure                          2.0.0
community.ciscosmb                       1.0.7
community.crypto                         2.19.0
community.digitalocean                   1.26.0
community.dns                            2.9.0
community.docker                         3.9.0
community.general                        8.6.0
community.grafana                        1.8.0
community.hashi_vault                    6.2.0
community.hrobot                         1.9.2
community.library_inventory_filtering_v1 1.0.1
community.libvirt                        1.3.0
community.mongodb                        1.7.3
community.mysql                          3.9.0
community.network                        5.0.2
community.okd                            2.3.0
community.postgresql                     3.4.0
community.proxysql                       1.5.1
community.rabbitmq                       1.3.0
community.routeros                       2.15.0
community.sap                            2.0.0
community.sap_libs                       1.4.2
community.sops                           1.6.7
community.vmware                         4.3.0
community.windows                        2.2.0
community.zabbix                         2.3.1
containers.podman                        1.13.0
cyberark.conjur                          1.2.2
cyberark.pas                             1.0.25
dellemc.enterprise_sonic                 2.4.0
dellemc.openmanage                       8.7.0
dellemc.powerflex                        2.3.0
dellemc.unity                            1.7.1
f5networks.f5_modules                    1.28.0
fortinet.fortimanager                    2.4.0
fortinet.fortios                         2.3.6
frr.frr                                  2.0.2
gluster.gluster                          1.0.2
google.cloud                             1.3.0
grafana.grafana                          2.2.5
hetzner.hcloud                           2.5.0
hpe.nimble                               1.1.4
ibm.qradar                               2.1.0
ibm.spectrum_virtualize                  2.0.0
ibm.storage_virtualize                   2.3.1
infinidat.infinibox                      1.4.5
infoblox.nios_modules                    1.6.1
inspur.ispim                             2.2.0
inspur.sm                                2.3.0
junipernetworks.junos                    5.3.1
kubernetes.core                          2.4.2
lowlydba.sqlserver                       2.3.2
microsoft.ad                             1.5.0
netapp.aws                               21.7.1
netapp.azure                             21.10.1
netapp.cloudmanager                      21.22.1
netapp.elementsw                         21.7.0
netapp.ontap                             22.11.0
netapp.storagegrid                       21.12.0
netapp.um_info                           21.8.1
netapp_eseries.santricity                1.4.0
netbox.netbox                            3.17.0
ngine_io.cloudstack                      2.3.0
ngine_io.exoscale                        1.1.0
openstack.cloud                          2.2.0
openvswitch.openvswitch                  2.1.1
ovirt.ovirt                              3.2.0
purestorage.flasharray                   1.27.0
purestorage.flashblade                   1.17.0
purestorage.fusion                       1.6.1
sensu.sensu_go                           1.14.0
splunk.es                                2.1.2
t_systems_mms.icinga_director            2.0.1
telekom_mms.icinga_director              1.35.0
theforeman.foreman                       3.15.0
vmware.vmware_rest                       2.3.1
vultr.cloud                              1.12.1
vyos.vyos                                4.1.0
wti.remote                               1.0.5

AWS SDK versions

$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /home/mmamula/.local/lib/python3.11/site-packages
Requires:
Required-by:
---
Name: boto3
Version: 1.34.97
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /home/mmamula/.local/lib/python3.11/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.34.97
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /home/mmamula/.local/lib/python3.11/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = None
PAGER(env: PAGER) = less

OS / Environment

SLES for SAP 15 SP3 SLES for SAP 15 SP5 openSUSE Tumbleweed

Steps to Reproduce

- name: AWS IAM Role - HA-Role-Pacemaker
  register: __sap_vm_provision_task_aws_iam_role_ha_pacemaker
  no_log: "{{ __sap_vm_provision_no_log }}"
  amazon.aws.iam_role:
    name: "HA-Role-Pacemaker"
    assume_role_policy_document: |
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Sid": "",
                  "Principal": {
                      "Service": "ec2.amazonaws.com"
                  }
              }
          ]
      }
    access_key: "{{ sap_vm_provision_aws_access_key }}"
    secret_key: "{{ sap_vm_provision_aws_secret_access_key }}"

https://github.com/sap-linuxlab/community.sap_infrastructure/blob/0e67afc14738c8731192ef9f5040496c4a96e9b1/roles/sap_vm_provision/tasks/platform_ansible/aws_ec2_vs/execute_setup_ha.yml#L257

Expected Results

IAM role HA-Role-Pacemaker is created.

Actual Results

fatal: [ae1ascs -> localhost]: FAILED! => {
    "boto3_version": "1.34.97",
    "botocore_version": "1.34.97",
    "changed": false,
    "error": {
        "code": "EntityAlreadyExists",
        "message": "Instance Profile HA-Role-Pacemaker already exists.",
        "type": "Sender"
    },
    "invocation": {
        "module_args": {
            "access_key": "XXX",
            "assume_role_policy_document": "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": \"sts:AssumeRole\",\n            \"Sid\": \"\",\n            \"Principal\": {\n                \"Service\": \"ec2.amazonaws.com\"\n            }\n        }\n    ]\n}",
            "aws_ca_bundle": null,
            "aws_config": null,
            "boundary": null,
            "create_instance_profile": true,
            "debug_botocore_endpoint_logs": false,
            "delete_instance_profile": false,
            "description": null,
            "endpoint_url": null,
            "managed_policies": null,
            "max_session_duration": null,
            "name": "HA-Role-Pacemaker",
            "path": null,
            "profile": null,
            "purge_policies": true,
            "purge_tags": true,
            "region": "eu-central-1",
            "secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "session_token": null,
            "state": "present",
            "tags": null,
            "validate_certs": true,
            "wait": true,
            "wait_timeout": 120
        }
    },
    "msg": "Failed to create instance profile: An error occurred (EntityAlreadyExists) when calling the CreateInstanceProfile operation: Instance Profile HA-Role-Pacemaker already exists.",
    "response_metadata": {
        "http_headers": {
            "content-length": "301",
            "content-type": "text/xml",
            "date": "Fri, 03 May 2024 08:20:06 GMT",
            "x-amzn-requestid": "922e49ae-286c-4c03-b673-ed8a22bb13d1"
        },
        "http_status_code": 409,
        "request_id": "933e49ae-286c-4c03-b673-ed8a66bb13d1",
        "retry_attempts": 0
    }
}

Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct

[marcelmamula]

Issue still persists with latest version:

amazon.aws                               8.0.1

Log output

TASK [/mnt/c/scripts/community.sap_infrastructure/roles/sap_vm_provision : AWS IAM Role - HA-Role-Pacemaker] ************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible_collections.amazon.aws.plugins.module_utils.iam.AnsibleIAMError: Failed to create instance profile: An error occurred (EntityAlreadyExists) when calling the CreateInstanceProfile operation: Instance Profile HA-Role-Pacemaker already exists.

 in a release after 2026-05-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [pr2hana0 -> localhost]: FAILED! => {"boto3_version": "1.34.97", "botocore_version": "1.34.97", "changed": false, "error": {"code": "EntityAlreadyExists", "message": "Instance Profile HA-Role-Pacemaker already exists.", "type": "Sender"}, "msg": "Failed to create instance profile: An error occurred (EntityAlreadyExists) when calling the CreateInstanceProfile operation: Instance Profile HA-Role-Pacemaker already exists.", "response_metadata": {"http_headers": {"content-length": "301", "content-type": "text/xml", "date": "Wed, 26 Jun 2024 10:34:26 GMT", "x-amzn-requestid": "X-5e4f-4438-a912-f39dcfb56774"}, "http_status_code": 409, "request_id": "X-5e4f-4438-a912-f39dcfb56774", "retry_attempts": 0}}

[chrisahl]

What needs to happen to get this issue fixed? It is preventing a lot of us from updating to a newer version.

[adpavlov]

+1

[tremble]

The original author (wimnat), is no longer involved with the AWS modules, and while I've done a fair bit of work with this module, I've not had as much time to work on things recently (while I work for Red Hat, this collection isn't part of my core responsibilities).

amazon.aws being the "supported" set of AWS modules, if you are Red Hat customers paying for support of Ansible, then the fastest way to get support will likely be to open a support case through the support portal: https://access.redhat.com/support/

Taking a quick look at the code and combined with some knowledge of the integration tests,

If I had to guess, this issue is triggered when there's a pre-existing instance profile with a different (or no) role attached, would this fit with your environment?

If so, the simplest work around would be to set create_instance_profile: false and manage the instance profile using the iam_instance_profile module.

[chrisahl]

The main issue with the newer versions is that iam_role is no longer idempotent. Maybe I can get some time to poke around on this and understand what has changed to cause this.

[chrisahl]

Looks to me that some code was dropped during refactor that used to handle this case - https://github.com/ansible-collections/amazon.aws/commit/d3edef2333ceb3aaa826c1ef870accce9848d096#diff-894c5f1bc94d55c144c10f65e632bec917bde2a54d6206a17ac5bb65c1621328

[tremble]

If it's a pure idempotence issue, then our integration tests should be catching it:

https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/iam_role/tasks/creation_deletion.yml#L334

This is why I suspect it's related to pre-existing profiles. Another other possibility is that it's getting a permission denied on the ListInstanceProfiles call.

If you're able to create a minimal set of tasks to reproduce the issue (starting from nothing), then your chances of getting a fix are somewhat higher (as the developer doesn't need to figure out where the breakage is first)

As I said though, the work around is simply to split role creation and instance profile creation into two calls:

- amazon.aws.iam_role:
    name: "HA-Role-Pacemaker"
    create_instance_profile: false
    assume_role_policy_document: "{{ assume_policy }}"

- amazon.aws.iam_instance_profile:
    name: "HA-Role-Pacemaker"
    role: "HA-Role-Pacemaker"

[chrisahl]

So I decided to experiment a little with 8.1.0 and try to split the call as suggested so amazon.aws.iam_role has create_instance_profile: false and then call amazon.aws.iam_instance_profile. What happened is that I got a message because iam:GetInstanceProfile was not granted. Once I added this permission to the role, I was able to use the single original call.

[chrisahl]

I don't think the change in https://github.com/braydencw1/amazon.aws/commit/750eef7e222e4a72ecdaf69edd27f6f8772b3a63, which was published in 8.2.0 is correct. When using amazon.aws.iam_role, create_instance_profile: false DOES NOT work. It still tries to create the profile. Are you sure the change https://github.com/ansible-collections/amazon.aws/blob/8.2.0/plugins/modules/iam_role.py#L733-L734 is correct?

The call was working in 8.1.0

I opened https://github.com/ansible-collections/amazon.aws/issues/2281 to address this problem