search

ansible-collections / community.aws

Ansible Collection for Community AWS
GNU General Public License v3.0
189 stars 398 forks source link

AWS Secrets Manager Fails on Lookup #1746

Closed genio closed 1 year ago

genio commented 1 year ago

Summary

When I try to gather a secret from AWS in a simple playbook, it fails as seen in the copy/paste below.

I'm on MacOS Ventura 13.2.

Any help or insight into what I'm not doing correctly would be appreciated.

Issue Type

Bug Report

Component Name

amazon.aws.aws_secret

Ansible Version

% ansible --version
ansible [core 2.14.3]
  config file = /Users/foo/genio/is-ansible/ansible.cfg
  configured module search path = ['/Users/foo/genio/is-ansible/library']
  ansible python module location = /Users/foo/.pyenv/versions/3.10.2/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/foo/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/foo/.pyenv/versions/3.10.2/bin/ansible
  python version = 3.10.2 (main, Mar 10 2022, 18:10:55) [Clang 13.0.0 (clang-1300.0.29.30)] (/Users/foo/.pyenv/versions/3.10.2/bin/python)
  jinja version = 3.1.2
  libyaml = True

Collection Versions

% ansible-galaxy collection list

# /Users/foo/.ansible/collections/ansible_collections
Collection         Version
------------------ -------
amazon.aws         5.3.0
ansible.windows    1.13.0
community.general  5.1.1
crowdstrike.falcon 3.2.27

# /Users/foo/.pyenv/versions/3.10.2/lib/python3.10/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    5.2.0
ansible.netcommon             4.1.0
ansible.posix                 1.5.1
ansible.utils                 2.9.0
ansible.windows               1.13.0
arista.eos                    6.0.0
awx.awx                       21.12.0
azure.azcollection            1.14.0
check_point.mgmt              4.0.0
chocolatey.chocolatey         1.4.0
cisco.aci                     2.4.0
cisco.asa                     4.0.0
cisco.dnac                    6.6.3
cisco.intersight              1.0.23
cisco.ios                     4.3.1
cisco.iosxr                   4.1.0
cisco.ise                     2.5.12
cisco.meraki                  2.15.1
cisco.mso                     2.2.1
cisco.nso                     1.0.3
cisco.nxos                    4.1.0
cisco.ucs                     1.8.0
cloud.common                  2.1.2
cloudscale_ch.cloud           2.2.4
community.aws                 5.2.0
community.azure               2.0.0
community.ciscosmb            1.0.5
community.crypto              2.11.0
community.digitalocean        1.23.0
community.dns                 2.5.1
community.docker              3.4.2
community.fortios             1.0.0
community.general             6.4.0
community.google              1.0.0
community.grafana             1.5.4
community.hashi_vault         4.1.0
community.hrobot              1.7.0
community.libvirt             1.2.0
community.mongodb             1.5.1
community.mysql               3.6.0
community.network             5.0.0
community.okd                 2.3.0
community.postgresql          2.3.2
community.proxysql            1.5.1
community.rabbitmq            1.2.3
community.routeros            2.7.0
community.sap                 1.0.0
community.sap_libs            1.4.0
community.skydive             1.0.0
community.sops                1.6.1
community.vmware              3.4.0
community.windows             1.12.0
community.zabbix              1.9.2
containers.podman             1.10.1
cyberark.conjur               1.2.0
cyberark.pas                  1.0.17
dellemc.enterprise_sonic      2.0.0
dellemc.openmanage            6.3.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
dellemc.powerflex             1.5.0
dellemc.unity                 1.5.0
f5networks.f5_modules         1.22.1
fortinet.fortimanager         2.1.7
fortinet.fortios              2.2.2
frr.frr                       2.0.0
gluster.gluster               1.0.2
google.cloud                  1.1.2
grafana.grafana               1.1.1
hetzner.hcloud                1.10.0
hpe.nimble                    1.1.4
ibm.qradar                    2.1.0
ibm.spectrum_virtualize       1.11.0
infinidat.infinibox           1.3.12
infoblox.nios_modules         1.4.1
inspur.ispim                  1.3.0
inspur.sm                     2.3.0
junipernetworks.junos         4.1.0
kubernetes.core               2.4.0
lowlydba.sqlserver            1.3.1
mellanox.onyx                 1.0.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.22.0
netapp.elementsw              21.7.0
netapp.ontap                  22.3.0
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0
netapp_eseries.santricity     1.4.0
netbox.netbox                 3.11.0
ngine_io.cloudstack           2.3.0
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.3
openstack.cloud               1.10.0
openvswitch.openvswitch       2.1.0
ovirt.ovirt                   2.4.1
purestorage.flasharray        1.17.0
purestorage.flashblade        1.10.0
purestorage.fusion            1.3.0
sensu.sensu_go                1.13.2
splunk.es                     2.1.0
t_systems_mms.icinga_director 1.32.0
theforeman.foreman            3.9.0
vmware.vmware_rest            2.2.0
vultr.cloud                   1.7.0
vyos.vyos                     4.0.0
wti.remote                    1.0.4

AWS SDK versions

% pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /Users/foo/.pyenv/versions/3.10.2/lib/python3.10/site-packages
Requires:
Required-by:
---
Name: boto3
Version: 1.26.87
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /Users/foo/.pyenv/versions/3.10.2/lib/python3.10/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.29.87
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /Users/foo/.pyenv/versions/3.10.2/lib/python3.10/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

% ansible-config dump --only-changed 
CONFIG_FILE() = /Users/foo/genio/apo-ansible/ansible.cfg
DEFAULT_HOST_LIST(/Users/foo/genio/apo-ansible/ansible.cfg) = ['/Users/foo/genio/apo-ansible/hosts.yml']
DEFAULT_JINJA2_NATIVE(/Users/foo/genio/apo-ansible/ansible.cfg) = True
DEFAULT_MODULE_PATH(/Users/foo/genio/apo-ansible/ansible.cfg) = ['/Users/foo/genio/apo-ansible/library']
DEFAULT_MODULE_UTILS_PATH(/Users/foo/genio/apo-ansible/ansible.cfg) = ['/Users/foo/genio/apo-ansible/module_utils']
DEFAULT_REMOTE_USER(/Users/foo/genio/apo-ansible/ansible.cfg) = root
DEFAULT_ROLES_PATH(/Users/foo/genio/apo-ansible/ansible.cfg) = ['/Users/foo/genio/apo-ansible/roles']

OS / Environment

Target OS: AlmaLinux 8

Steps to Reproduce

---
- hosts: all
  vars:
    - aws_profile: APO
    - jira: "{{ lookup('amazon.aws.aws_secret', 'jira') }}"
  tasks:
    - name: lookup
      debug: "Got {{ jira }}"

Expected Results

I expected:

% aws secretsmanager --profile=APO get-secret-value --secret-id=jira                                  
{
    "ARN": "arn:aws:secretsmanager:us-west-2:REDACTED:secret:jira-FOOOOOO",
    "Name": "jira",
    "VersionId": "REDACTED",
    "SecretString": "{    \"some_key\": {  \"foo\": \"bar\"} }",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": "2023-03-09T08:52:33.609000-05:00"
}

Actual Results

% ansible-playbook --limit=some_server.fqdn secrets.yml

PLAY [all] *********************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************
ok: [some_server.fqdn]

TASK [lookup] ******************************************************************************************************************************************************************************
objc[14320]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
objc[14320]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
ERROR! A worker was found in a dead state

Code of Conduct

genio commented 1 year ago

I think I found the answer here: https://github.com/ansible/ansible/issues/32499#issuecomment-341578864

export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES