search

ansible-collections / community.aws

Ansible Collection for Community AWS
GNU General Public License v3.0
188 stars 396 forks source link

'community.aws.aws_ssm' connection will not change/become user (root) #2103

Open jordanjthomas opened 4 months ago

jordanjthomas commented 4 months ago

Summary

Cannot get the 'community.aws.aws_ssm' connection to 'become' any other user when connecting to an EC2 via SSM. In this scenario user will not become 'root'. I can connect to the target host fine, but any attempt to become root fails. Example tests:

- name: Run 'whoami' command
  become: true
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output

- name: Run 'whoami' command again
  become: true
  become_user: root
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output

The results of these and other tests all come back the same: user being 'ssm_user'. The 'ssm_user' definitely does have the permission to elevate to root and can do so manually on the instance fine.

Issue Type

Bug Report

Component Name

community.aws.aws_ssm

Ansible Version

ansible-playbook [core 2.15.12]
  config file = /runner/project/ansible.cfg
  configured module search path = ['/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.9.18 (main, Jan 24 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True

Collection Versions

      - name: awx.awx
      - name: azure.azcollection
      - name: amazon.aws
      - name: community.vmware
      - name: ansible.posix
      - name: ansible.windows
      - name: community.general
      - name: community.aws

AWS SDK versions

'botocore>=1.29.0,>=1.29.0  # from collection amazon.aws,community.aws'
'boto3>=1.26.0,>=1.26.0  # from collection amazon.aws,community.aws'

OS / Environment

No response

Steps to Reproduce

`- name: Run 'whoami' command
  become: true
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output

- name: Run 'whoami' command again
  become: true
  become_user: root
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output`

Expected Results

I expected the tasks to show the user as 'root'

Actual Results

  "stdout": "ssm-user"

Code of Conduct

jordanjthomas commented 3 months ago

@psharkey Sorry for tagging, but is this a known issue with the connection plugin?

jay-lark commented 2 months ago

I am seeing this as well when running in AWX with Ansible core 2.15.12 or 2.16.8 with the community.aws collections in 7.x and 8.x.

interestingly, the same exact playbook works with the same credentials when running on my laptop with ansible 2.16.8 and collection 7.2.0 or 8.0.0

vikas-falconx commented 1 month ago

is there work around for this. Or can someone pls pick this up and fix this i see that this has been changed in the latest version https://github.com/ansible-collections/community.aws/blob/5.5.1/plugins/connection/aws_ssm.py#L674-L675

jordanjthomas commented 1 month ago

I don't know if this helps people, but in my case I'm using AWX and found a workaround.

I needed to create a machine credential for the job template with the username of 'admin' and no password required. This then allowed 'become' to work. Without that, become would not cause any changes to user after SSM connection. Quite annoying..