search

ansible-collections / community.aws

Ansible Collection for Community AWS
GNU General Public License v3.0
186 stars 396 forks source link

DeleteObject AccessDenied when Cleaning up Scripts in Config bucket #1540

Open peraltadavidtrvlx opened 1 year ago

peraltadavidtrvlx commented 1 year ago

Summary

I am trying to run powershell scripts on a remote windows server on a different account and region but it's failing when deleting the object in the ssm config bucket. SSM is able to upload the script on the config bucket but is failing on deletion

File "/home/circleci/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 628, in _file_transport_command client.delete_object(Bucket=self.get_option('bucket_name'), Key=s3_path)

Issue Type

Bug Report

Component Name

File "/home/circleci/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 628, in _file_transport_command

DeleteObject is denied when running commands on a remote instance in a separate account and different region:

SSM is invoked in eu-west-1 and the target is an instance in a separate account in ap-southeast-2

Ansible Version

$ ansible --version
ansible [core 2.13.4]
  config file = None
  configured module search path = ['/home/circleci/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/circleci/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/circleci/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
# /home/circleci/.ansible/collections/ansible_collections
Collection    Version
------------- -------
amazon.aws    4.2.0
community.aws 4.2.0

# /home/circleci/.local/lib/python3.8/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    3.4.0
ansible.netcommon             3.1.1
ansible.posix                 1.4.0
ansible.utils                 2.6.1
ansible.windows               1.11.1
arista.eos                    5.0.1
awx.awx                       21.5.0
azure.azcollection            1.13.0
check_point.mgmt              2.3.0
chocolatey.chocolatey         1.3.0
cisco.aci                     2.2.0
cisco.asa                     3.1.0
cisco.dnac                    6.6.0
cisco.intersight              1.0.19
cisco.ios                     3.3.1
cisco.iosxr                   3.3.1
cisco.ise                     2.5.3
cisco.meraki                  2.11.0
cisco.mso                     2.0.0
cisco.nso                     1.0.3
cisco.nxos                    3.1.1
cisco.ucs                     1.8.0
cloud.common                  2.1.2
cloudscale_ch.cloud           2.2.2
community.aws                 3.5.0
community.azure               1.1.0
community.ciscosmb            1.0.5
community.crypto              2.5.0
community.digitalocean        1.21.0
community.dns                 2.3.2
community.docker              2.7.1
community.fortios             1.0.0
community.general             5.6.0
community.google              1.0.0
community.grafana             1.5.2
community.hashi_vault         3.2.0
community.hrobot              1.5.2
community.libvirt             1.2.0
community.mongodb             1.4.2
community.mysql               3.5.1
community.network             4.0.1
community.okd                 2.2.0
community.postgresql          2.2.0
community.proxysql            1.4.0
community.rabbitmq            1.2.2
community.routeros            2.3.0
community.sap                 1.0.0
community.sap_libs            1.3.0
community.skydive             1.0.0
community.sops                1.4.0
community.vmware              2.9.1
community.windows             1.11.0
community.zabbix              1.8.0
containers.podman             1.9.4
cyberark.conjur               1.2.0
cyberark.pas                  1.0.14
dellemc.enterprise_sonic      1.1.2
dellemc.openmanage            5.5.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
f5networks.f5_modules         1.19.0
fortinet.fortimanager         2.1.5
fortinet.fortios              2.1.7
frr.frr                       2.0.0
gluster.gluster               1.0.2
google.cloud                  1.0.2
hetzner.hcloud                1.8.2
hpe.nimble                    1.1.4
ibm.qradar                    2.1.0
ibm.spectrum_virtualize       1.9.0
infinidat.infinibox           1.3.3
infoblox.nios_modules         1.3.0
inspur.ispim                  1.0.1
inspur.sm                     2.0.0
junipernetworks.junos         3.1.0
kubernetes.core               2.3.2
mellanox.onyx                 1.0.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.19.0
netapp.elementsw              21.7.0
netapp.ontap                  21.23.0
netapp.storagegrid            21.11.0
netapp.um_info                21.8.0
netapp_eseries.santricity     1.3.1
netbox.netbox                 3.7.1
ngine_io.cloudstack           2.2.4
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.2
openstack.cloud               1.9.1
openvswitch.openvswitch       2.1.0
ovirt.ovirt                   2.2.3
purestorage.flasharray        1.13.0
purestorage.flashblade        1.10.0
purestorage.fusion            1.1.0
sensu.sensu_go                1.13.1
servicenow.servicenow         1.0.6
splunk.es                     2.1.0
t_systems_mms.icinga_director 1.31.0
theforeman.foreman            3.6.0
vmware.vmware_rest            2.2.0
vultr.cloud                   1.1.0
vyos.vyos                     3.0.1
wti.remote                    1.0.4

AWS SDK versions

$ pip show boto boto3 botocore
WARNING: Package(s) not found: boto
Name: boto3
Version: 1.24.82
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /home/circleci/.local/lib/python3.8/site-packages
Requires: s3transfer, botocore, jmespath
Required-by:
---
Name: botocore
Version: 1.27.82
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /home/circleci/.local/lib/python3.8/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: s3transfer, boto3

Configuration

$ ansible-config dump --only-changed
bash: ansible-config: command not found

OS / Environment

DISTRIB_ID=Ubuntu DISTRIB_RELEASE=20.04 DISTRIB_CODENAME=focal DISTRIB_DESCRIPTION="Ubuntu 20.04.4 LTS"

Steps to Reproduce

deploy.yml

- name: Assume role
  hosts: localhost
  tasks:
  - sts_assume_role:
      role_arn: "arn:aws:iam::354840654034:role/tvx-test-runner-deploy"
      role_session_name: "sydney_sample"
      region: ap-southeast-2
      duration_seconds: 900
    register: assumed_role
    no_log: false

- name: run command
  hosts: sydney
  gather_facts: false
  vars:
    ansible_aws_ssm_access_key_id: "{{ hostvars['localhost']['assumed_role']['sts_creds']['access_key'] }}"
    ansible_aws_ssm_secret_access_key: "{{ hostvars['localhost']['assumed_role']['sts_creds']['secret_key'] }}"
    ansible_aws_ssm_session_token: "{{ hostvars['localhost']['assumed_role']['sts_creds']['session_token'] }}"
  tasks:
  - name: debug
    debug: var=ansible_aws_ssm_access_key_id
  - name: Shell
    win_command: hostname

inventory.yml

[sydney]
i-00b51caa9f0d972ed

[sydney:vars]
ansible_connection = community.aws.aws_ssm
ansible_aws_ssm_region = ap-southeast-2
ansible_shell_type = powershell
ansible_aws_ssm_bucket_name = ssmsamplebucket-ireland

command:

ansible-playbook -i inventory.ini deploy.yml

Expected Results

TASK [Shell] ***** task path: /home/circleci/playbooks/deploy.yml:22 redirecting (type: modules) ansible.builtin.win_command to ansible.windows.win_command redirecting (type: modules) ansible.builtin.win_command to ansible.windows.win_command changed: [i-00b51caa9f0d972ed] => {"changed": true, "cmd": "hostname", "delta": "0:00:00.090585", "end": "2022-09-28 17:53:21.363015", "rc": 0, "start": "2022-09-28 17:53:21.272429", "stderr": "", "stderr_lines": [], "stdout": "EC2AMAZ-12HO4NT\r\n", "stdout_lines": ["EC2AMAZ-12HO4NT"]}

Actual Results

<i-00b51caa9f0d972ed> ssm_retry: attempt: 2, caught exception(An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied) from cmd (/home/ssm-user/.ansible/tmp/ansible-local-203313twil_u_x/tmppcwuj2fc...), pausing for 3 seconds
<i-00b51caa9f0d972ed> CLOSING SSM CONNECTION TO: i-xxxxxx
<i-00b51caa9f0d972ed> ESTABLISH SSM CONNECTION TO: i-xxxxxxx
<i-00b51caa9f0d972ed> SSM CONNECTION ID: sydney_sample-xxxxxxxx
<i-00b51caa9f0d972ed> EXEC Invoke-WebRequest 'https://tvx-ci-ssm-bucket.s3.amazonaws.com/i-00b51caa9f0d972ed/C%3A/Windows/TEMP/ansible-tmp-1664386390.7079988-203385-78361209385456/AnsiballZ_win_command.ps1?xxxxx' -OutFile 'C:\Windows\TEMP\ansible-tmp-1664386390.7079988-203385-78361209385456\AnsiballZ_win_command.ps1'
<i-00b51caa9f0d972ed> (0, '', '')
<i-00b51caa9f0d972ed> EXEC PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand xxxx
<i-00b51caa9f0d972ed> (0, '', '')
<i-00b51caa9f0d972ed> CLOSING SSM CONNECTION TO: i-xxxxxxx
The full traceback is:
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ansible/executor/task_executor.py", line 147, in run
    res = self._execute()
  File "/usr/lib/python3.6/site-packages/ansible/executor/task_executor.py", line 665, in _execute
    result = self._handler.run(task_vars=variables)
  File "/usr/lib/python3.6/site-packages/ansible/plugins/action/normal.py", line 47, in run
    result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
  File "/usr/lib/python3.6/site-packages/ansible/plugins/action/__init__.py", line 852, in _execute_module
    self._transfer_data(remote_module_path, module_data)
  File "/usr/lib/python3.6/site-packages/ansible/plugins/action/__init__.py", line 463, in _transfer_data
    self._transfer_file(afile, remote_path)
  File "/usr/lib/python3.6/site-packages/ansible/plugins/action/__init__.py", line 440, in _transfer_file
    self._connection.put_file(local_path, remote_path)
  File "/home/ssm-user/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 646, in put_file
    return self._file_transport_command(in_path, out_path, 'put')
  File "/home/ssm-user/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 241, in wrapped
    return_tuple = func(self, *args, **kwargs)
  File "/home/ssm-user/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 628, in _file_transport_command
    client.delete_object(Bucket=self.get_option('bucket_name'), Key=s3_path)
  File "/home/ssm-user/.local/lib/python3.6/site-packages/botocore/client.py", line 508, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/ssm-user/.local/lib/python3.6/site-packages/botocore/client.py", line 911, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
fatal: [i-00b51caa9f0d972ed]: FAILED! => {
    "msg": "Unexpected failure during module execution.",
    "stdout": ""
}

Code of Conduct

ansibullbot commented 1 year ago

Files identified in the description: None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

simon97k commented 1 year ago

I had a similar issue, Ansible via SSM using an S3 bucket worked fine but suddenly I had this access denied error. I fixed it by adding s3:DeleteObject to the Bucket Policy I was already using.