Closed rikhul closed 2 years ago
I'm rebooting ec2-instance by amazon.aws.ec2_instance: state: rebooted
amazon.aws.ec2_instance: state: rebooted
and was quite surprised it returned successfully immediately. Turns out role didn't have permissions to StopInstances,StartInstances.
I would've expected task to fail.
Bug Report
amazon.aws.ec2_instance
ansible [core 2.11.8] config file = /opt/Ansible/ansible.cfg configured module search path = ['/home/ec2-user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /home/ec2-user/.local/lib/python3.7/site-packages/ansible ansible collection location = /home/ec2-user/.ansible/collections:/usr/share/ansible/collections executable location = /home/ec2-user/.local/bin/ansible python version = 3.7.10 (default, Jun 3 2021, 00:02:01) [GCC 7.3.1 20180712 (Red Hat 7.3.1-13)] jinja version = 3.0.3 libyaml = True
# /home/ec2-user/.ansible/collections/ansible_collections Collection Version ---------- ------- amazon.aws 3.0.0 # /home/ec2-user/.local/lib/python3.7/site-packages/ansible_collections Collection Version ----------------------------- ------- amazon.aws 1.5.1 ansible.netcommon 2.5.0 ansible.posix 1.3.0 ansible.utils 2.4.3 ansible.windows 1.8.0 arista.eos 2.2.0 awx.awx 19.4.0 azure.azcollection 1.10.0 check_point.mgmt 2.2.0 chocolatey.chocolatey 1.1.0 cisco.aci 2.1.0 cisco.asa 2.1.0 cisco.intersight 1.0.18 cisco.ios 2.6.0 cisco.iosxr 2.6.0 cisco.meraki 2.5.0 cisco.mso 1.2.0 cisco.nso 1.0.3 cisco.nxos 2.8.2 cisco.ucs 1.6.0 cloudscale_ch.cloud 2.2.0 community.aws 1.5.0 community.azure 1.1.0 community.crypto 1.9.8 community.digitalocean 1.13.0 community.docker 1.10.2 community.fortios 1.0.0 community.general 3.8.3 community.google 1.0.0 community.grafana 1.3.0 community.hashi_vault 1.5.0 community.hrobot 1.2.1 community.kubernetes 1.2.1 community.kubevirt 1.0.0 community.libvirt 1.0.2 community.mongodb 1.3.2 community.mysql 2.3.2 community.network 3.0.0 community.okd 1.1.2 community.postgresql 1.6.0 community.proxysql 1.3.0 community.rabbitmq 1.1.0 community.routeros 1.2.0 community.skydive 1.0.0 community.sops 1.2.0 community.vmware 1.17.0 community.windows 1.8.0 community.zabbix 1.5.1 containers.podman 1.9.0 cyberark.conjur 1.1.0 cyberark.pas 1.0.13 dellemc.enterprise_sonic 1.1.0 dellemc.openmanage 3.6.0 dellemc.os10 1.1.1 dellemc.os6 1.0.7 dellemc.os9 1.0.4 f5networks.f5_modules 1.13.0 fortinet.fortimanager 2.1.4 fortinet.fortios 2.1.3 frr.frr 1.0.3 gluster.gluster 1.0.2 google.cloud 1.0.2 hetzner.hcloud 1.6.0 hpe.nimble 1.1.4 ibm.qradar 1.0.3 infinidat.infinibox 1.3.0 inspur.sm 1.3.0 junipernetworks.junos 2.8.0 kubernetes.core 1.2.1 mellanox.onyx 1.0.0 netapp.aws 21.7.0 netapp.azure 21.10.0 netapp.cloudmanager 21.12.1 netapp.elementsw 21.7.0 netapp.ontap 21.14.1 netapp.um_info 21.8.0 netapp_eseries.santricity 1.2.13 netbox.netbox 3.4.0 ngine_io.cloudstack 2.2.2 ngine_io.exoscale 1.0.0 ngine_io.vultr 1.1.0 openstack.cloud 1.5.3 openvswitch.openvswitch 2.1.0 ovirt.ovirt 1.6.6 purestorage.flasharray 1.11.0 purestorage.flashblade 1.8.1 sensu.sensu_go 1.12.0 servicenow.servicenow 1.0.6 splunk.es 1.0.2 t_systems_mms.icinga_director 1.26.0 theforeman.foreman 2.2.0 vyos.vyos 2.6.0 wti.remote 1.0.3
WARNING: Package(s) not found: boto Name: boto3 Version: 1.17.5 Summary: The AWS SDK for Python Home-page: https://github.com/boto/boto3 Author: Amazon Web Services Author-email: None License: Apache License 2.0 Location: /usr/local/lib/python3.7/site-packages Requires: jmespath, s3transfer, botocore Required-by: --- Name: botocore Version: 1.20.5 Summary: Low-level, data-driven core of boto 3. Home-page: https://github.com/boto/botocore Author: Amazon Web Services Author-email: None License: Apache License 2.0 Location: /usr/local/lib/python3.7/site-packages Requires: urllib3, jmespath, python-dateutil Required-by: s3transfer, boto3
DEFAULT_HOST_LIST(/opt/Ansible/ansible.cfg) = ['/opt/Ansible/hosts'] HOST_KEY_CHECKING(/opt/Ansible/ansible.cfg) = False INTERPRETER_PYTHON(/opt/Ansible/ansible.cfg) = /usr/bin/python3
aws linux2
Role with no IAM permissions to "ec2:StartInstances" nor "ec2:StopInstances"
- name: reboot delegate_to: localhost become_user: ec2-user amazon.aws.ec2_instance: state: rebooted instance_ids: - "{{ ansible_ec2_instance_id }}"
Any error
OK...
Files identified in the description: None
If these files are inaccurate, please update the component name section of the description or use the !component bot command.
component name
!component
click here for bot help
Summary
I'm rebooting ec2-instance by
amazon.aws.ec2_instance: state: rebooted
and was quite surprised it returned successfully immediately. Turns out role didn't have permissions to StopInstances,StartInstances.
I would've expected task to fail.
Issue Type
Bug Report
Component Name
amazon.aws.ec2_instance
Ansible Version
Collection Versions
AWS SDK versions
Configuration
OS / Environment
aws linux2
Steps to Reproduce
Role with no IAM permissions to "ec2:StartInstances" nor "ec2:StopInstances"
Expected Results
Any error
Actual Results
Code of Conduct