Since this is an S3 bucket including ACL and Access for other AWS accounts, I suspect that the get_object_tagging function is missing the ExpectedBucketOwner parameter.
I expect to receive a presigned URL for a specific version of an S3 object.
Actual Results
The full traceback is:
Traceback (most recent call last):
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 107, in <module>
_ansiballz_main()
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 47, in invoke_module
runpy.run_module(mod_name='ansible_collections.amazon.aws.plugins.modules.s3_object', init_globals=dict(_module_fqn='ansible_collections.amazon.aws.plugins.modules.s3_object', _modlib_path=modlib_path),
File "/usr/lib/python3.10/runpy.py", line 224, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib/python3.10/runpy.py", line 96, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1535, in <module>
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1522, in main
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1262, in s3_object_do_geturl
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 952, in get_current_object_tags_dict
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py", line 105, in deciding_wrapper
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 119, in _retry_wrapper
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 68, in _retry_func
File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 565, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 1021, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
fatal: [i-05fbc5cb84deeea26_asg-metadefender-image-ubuntu22-mdtest-202405281455 -> localhost]: FAILED! => changed=false
module_stderr: |-
Traceback (most recent call last):
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 107, in <module>
_ansiballz_main()
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 47, in invoke_module
runpy.run_module(mod_name='ansible_collections.amazon.aws.plugins.modules.s3_object', init_globals=dict(_module_fqn='ansible_collections.amazon.aws.plugins.modules.s3_object', _modlib_path=modlib_path),
File "/usr/lib/python3.10/runpy.py", line 224, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib/python3.10/runpy.py", line 96, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1535, in <module>
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1522, in main
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1262, in s3_object_do_geturl
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 952, in get_current_object_tags_dict
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py", line 105, in deciding_wrapper
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 119, in _retry_wrapper
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 68, in _retry_func
File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 565, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 1021, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact error
rc: 1
Summary
When I try to get a presigned URL for a specific version of an S3 object, the Ansible playbook fails. If I remove the version everything works fine.
Since the following command works fine, I can rule out missing permissions.
Since this is an S3 bucket including ACL and Access for other AWS accounts, I suspect that the
get_object_tagging
function is missing theExpectedBucketOwner
parameter.https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/s3/client/get_object_tagging.html
Issue Type
Bug Report
Component Name
s3_object
Ansible Version
Collection Versions
AWS SDK versions
Configuration
OS / Environment
Ubuntu 22.04
Steps to Reproduce
Expected Results
I expect to receive a presigned URL for a specific version of an S3 object.
Actual Results
Code of Conduct