No error when missing permission to reboot instance

[rikhul]

Summary

I'm rebooting ec2-instance by amazon.aws.ec2_instance: state: rebooted

and was quite surprised it returned successfully immediately. Turns out role didn't have permissions to StopInstances,StartInstances.

I would've expected task to fail.

Issue Type

Bug Report

Component Name

amazon.aws.ec2_instance

Ansible Version

ansible [core 2.11.8]
  config file = /opt/Ansible/ansible.cfg
  configured module search path = ['/home/ec2-user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ec2-user/.local/lib/python3.7/site-packages/ansible
  ansible collection location = /home/ec2-user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ec2-user/.local/bin/ansible
  python version = 3.7.10 (default, Jun  3 2021, 00:02:01) [GCC 7.3.1 20180712 (Red Hat 7.3.1-13)]
  jinja version = 3.0.3
  libyaml = True

Collection Versions

# /home/ec2-user/.ansible/collections/ansible_collections
Collection Version
---------- -------
amazon.aws 3.0.0

# /home/ec2-user/.local/lib/python3.7/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    1.5.1
ansible.netcommon             2.5.0
ansible.posix                 1.3.0
ansible.utils                 2.4.3
ansible.windows               1.8.0
arista.eos                    2.2.0
awx.awx                       19.4.0
azure.azcollection            1.10.0
check_point.mgmt              2.2.0
chocolatey.chocolatey         1.1.0
cisco.aci                     2.1.0
cisco.asa                     2.1.0
cisco.intersight              1.0.18
cisco.ios                     2.6.0
cisco.iosxr                   2.6.0
cisco.meraki                  2.5.0
cisco.mso                     1.2.0
cisco.nso                     1.0.3
cisco.nxos                    2.8.2
cisco.ucs                     1.6.0
cloudscale_ch.cloud           2.2.0
community.aws                 1.5.0
community.azure               1.1.0
community.crypto              1.9.8
community.digitalocean        1.13.0
community.docker              1.10.2
community.fortios             1.0.0
community.general             3.8.3
community.google              1.0.0
community.grafana             1.3.0
community.hashi_vault         1.5.0
community.hrobot              1.2.1
community.kubernetes          1.2.1
community.kubevirt            1.0.0
community.libvirt             1.0.2
community.mongodb             1.3.2
community.mysql               2.3.2
community.network             3.0.0
community.okd                 1.1.2
community.postgresql          1.6.0
community.proxysql            1.3.0
community.rabbitmq            1.1.0
community.routeros            1.2.0
community.skydive             1.0.0
community.sops                1.2.0
community.vmware              1.17.0
community.windows             1.8.0
community.zabbix              1.5.1
containers.podman             1.9.0
cyberark.conjur               1.1.0
cyberark.pas                  1.0.13
dellemc.enterprise_sonic      1.1.0
dellemc.openmanage            3.6.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
f5networks.f5_modules         1.13.0
fortinet.fortimanager         2.1.4
fortinet.fortios              2.1.3
frr.frr                       1.0.3
gluster.gluster               1.0.2
google.cloud                  1.0.2
hetzner.hcloud                1.6.0
hpe.nimble                    1.1.4
ibm.qradar                    1.0.3
infinidat.infinibox           1.3.0
inspur.sm                     1.3.0
junipernetworks.junos         2.8.0
kubernetes.core               1.2.1
mellanox.onyx                 1.0.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.12.1
netapp.elementsw              21.7.0
netapp.ontap                  21.14.1
netapp.um_info                21.8.0
netapp_eseries.santricity     1.2.13
netbox.netbox                 3.4.0
ngine_io.cloudstack           2.2.2
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.0
openstack.cloud               1.5.3
openvswitch.openvswitch       2.1.0
ovirt.ovirt                   1.6.6
purestorage.flasharray        1.11.0
purestorage.flashblade        1.8.1
sensu.sensu_go                1.12.0
servicenow.servicenow         1.0.6
splunk.es                     1.0.2
t_systems_mms.icinga_director 1.26.0
theforeman.foreman            2.2.0
vyos.vyos                     2.6.0
wti.remote                    1.0.3

AWS SDK versions

WARNING: Package(s) not found: boto
Name: boto3
Version: 1.17.5
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /usr/local/lib/python3.7/site-packages
Requires: jmespath, s3transfer, botocore
Required-by:
---
Name: botocore
Version: 1.20.5
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /usr/local/lib/python3.7/site-packages
Requires: urllib3, jmespath, python-dateutil
Required-by: s3transfer, boto3

Configuration

DEFAULT_HOST_LIST(/opt/Ansible/ansible.cfg) = ['/opt/Ansible/hosts']
HOST_KEY_CHECKING(/opt/Ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/opt/Ansible/ansible.cfg) = /usr/bin/python3

OS / Environment

aws linux2

Steps to Reproduce

Role with no IAM permissions to "ec2:StartInstances" nor "ec2:StopInstances"

- name: reboot
  delegate_to: localhost
  become_user: ec2-user
  amazon.aws.ec2_instance:
    state: rebooted
    instance_ids:
      - "{{ ansible_ec2_instance_id }}"

Expected Results

Any error

Actual Results

OK...

Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description: None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help