search

ansible-collections / amazon.aws

Ansible Collection for Amazon AWS
GNU General Public License v3.0
277 stars 321 forks source link

[s3_object] An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied #2114

Open dhoppe opened 1 month ago

dhoppe commented 1 month ago

Summary

When I try to get a presigned URL for a specific version of an S3 object, the Ansible playbook fails. If I remove the version everything works fine.

Since the following command works fine, I can rule out missing permissions. 

aws s3api get-object-tagging --bucket bt-installer --key public/aws-cli/awscli-exe-linux-x86_64.zip
{
    “VersionId”: “zpKl8rWJVw.dFnAm9fWzmpI4rDbfkSno”,
    “TagSet”: []
}

Since this is an S3 bucket including ACL and Access for other AWS accounts, I suspect that the get_object_tagging function is missing the ExpectedBucketOwner parameter.

https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/s3/client/get_object_tagging.html

Issue Type

Bug Report

Component Name

s3_object

Ansible Version

$ ansible --version
ansible [core 2.15.6]
  config file = /home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg
  configured module search path = ['/home/dennis.hoppe.ext/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/dennis.hoppe.ext/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
# /usr/share/ansible/collections/ansible_collections
Collection                               Version
---------------------------------------- -------
amazon.aws                               6.5.4
ansible.netcommon                        5.3.0
ansible.posix                            1.5.4
ansible.utils                            3.1.0
ansible.windows                          2.3.0
community.aws                            6.4.0
community.crypto                         2.19.1
community.docker                         3.9.0
community.general                        8.6.0
community.library_inventory_filtering_v1 1.0.1
community.windows                        2.2.0
crowdstrike.falcon                       4.4.0

AWS SDK versions

$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /usr/lib/python3/dist-packages
Requires:
Required-by:
---
Name: boto3
Version: 1.34.113
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.10/dist-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.34.113
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.10/dist-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed
ANSIBLE_FORCE_COLOR(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = True
CONFIG_FILE() = /home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg
DEFAULT_CALLBACK_PLUGIN_PATH(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/usr/share/ansible/plugins/callback', '/home/dennis.hoppe.ext/bt-cloudops-ansible/plugins/c>
DEFAULT_FILTER_PLUGIN_PATH(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/usr/share/ansible/plugins/filter', '/home/dennis.hoppe.ext/bt-cloudops-ansible/plugins/filte>
DEFAULT_FORKS(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = 50
DEFAULT_HOST_LIST(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/home/dennis.hoppe.ext/bt-cloudops-ansible/aws_ec2.yml']
DEFAULT_LOAD_CALLBACK_PLUGINS(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = True
DEFAULT_ROLES_PATH(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/home/dennis.hoppe.ext/bt-cloudops-ansible/roles']
DEFAULT_STDOUT_CALLBACK(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = community.general.yaml
DEFAULT_TIMEOUT(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = 30
DEFAULT_VARS_PLUGIN_PATH(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/usr/share/ansible/plugins/vars', '/home/dennis.hoppe.ext/bt-cloudops-ansible/plugins/vars']
DEFAULT_VAULT_PASSWORD_FILE(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = /home/dennis.hoppe.ext/bt-cloudops-ansible/vault_pass.sh
DISPLAY_SKIPPED_HOSTS(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = False
INVENTORY_ENABLED(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['amazon.aws.aws_ec2', 'host_list']
WIN_ASYNC_STARTUP_TIMEOUT(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = 10

OS / Environment

Ubuntu 22.04

Steps to Reproduce

- name: Get presigned URL
  amazon.aws.s3_object:
    bucket: "{{ role_bt_common_get_packages_s3_bucket }}"
    object: "{{ role_bt_common_get_packages_s3_dir }}{{ local_bt_common_get_package_config.dir | default('') }}/{{ local_bt_common_get_package_config.file }}"
    version: "{{ local_bt_common_get_package_config.s3_version | default(omit) }}"
    region: "{{ role_bt_common_get_packages_s3_region }}"
    mode: geturl
  delegate_to: localhost
  register: result_s3_object

Expected Results

I expect to receive a presigned URL for a specific version of an S3 object.

Actual Results

The full traceback is:
Traceback (most recent call last):
  File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 107, in <module>
    _ansiballz_main()
  File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.amazon.aws.plugins.modules.s3_object', init_globals=dict(_module_fqn='ansible_collections.amazon.aws.plugins.modules.s3_object', _modlib_path=modlib_path),
  File "/usr/lib/python3.10/runpy.py", line 224, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib/python3.10/runpy.py", line 96, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1535, in <module>
  File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1522, in main
  File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1262, in s3_object_do_geturl
  File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 952, in get_current_object_tags_dict
  File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py", line 105, in deciding_wrapper
  File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 119, in _retry_wrapper
  File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 68, in _retry_func
  File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 565, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 1021, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
fatal: [i-05fbc5cb84deeea26_asg-metadefender-image-ubuntu22-mdtest-202405281455 -> localhost]: FAILED! => changed=false
  module_stderr: |-
    Traceback (most recent call last):
      File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 107, in <module>
        _ansiballz_main()
      File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 99, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 47, in invoke_module
        runpy.run_module(mod_name='ansible_collections.amazon.aws.plugins.modules.s3_object', init_globals=dict(_module_fqn='ansible_collections.amazon.aws.plugins.modules.s3_object', _modlib_path=modlib_path),
      File "/usr/lib/python3.10/runpy.py", line 224, in run_module
        return _run_module_code(code, init_globals, run_name, mod_spec)
      File "/usr/lib/python3.10/runpy.py", line 96, in _run_module_code
        _run_code(code, mod_globals, init_globals,
      File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
        exec(code, run_globals)
      File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1535, in <module>
      File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1522, in main
      File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1262, in s3_object_do_geturl
      File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 952, in get_current_object_tags_dict
      File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py", line 105, in deciding_wrapper
      File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 119, in _retry_wrapper
      File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 68, in _retry_func
      File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 565, in _api_call
        return self._make_api_call(operation_name, kwargs)
      File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 1021, in _make_api_call
        raise error_class(parsed_response, operation_name)
    botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

Code of Conduct

yarons commented 2 weeks ago

I'm also experiencing the same behavior, but even without specifying the version. Is there a way I can contribute to this issue?