search

ansible-collections / community.aws

Ansible Collection for Community AWS
GNU General Public License v3.0
189 stars 399 forks source link

aws_ssm connection plugin: S3 Signed Url invalid for newly created S3 Bucket #637

Closed garethsaxby closed 2 years ago

garethsaxby commented 3 years ago

Summary

When I try to execute a playbook against an Amazon Linux 2 instance in EC2 using the aws_ssm connection plugin and a recently created (less than an hour old) S3 bucket, it fails to correctly download AnsiballZ_setup.py, resulting in a python syntax error " File \"/home/ssm-user/.ansible/tmp/ansible-tmp-1626190404.700778-20074-247496938615569/AnsiballZ_setup.py\", line 1\r\r\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\r\n ^\r\r\nSyntaxError: invalid syntax\r\r",.

The curl is writing out the S3 XML error response to file, due to S3 returning a HTTP 307 redirect which the curl does not follow.

This HTTP 307 from S3 is expected, as per this AWS documentation, because the bucket is too new for the global S3 DNS to have propagated out yet, so a regional endpoint has to be used.

This overall seems similar to this issue, but is still happening for me when using the main branch of this repository where the fix has been applied.

I believe the underlying problem is that when the signed url is generated in the function _file_transport_command, it is a global URL rather than a regional URL:

For example, the URL below does not work and returns a 307; https://test-bucket-garethsaxby-20210713-153159.s3.amazonaws.com/i-089c1ec0c85524f5d//home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5QGXVMSCMPOQVZH3%2F20210713%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210713T151841Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18d520a539227540bef2ba06a6000dd6569c868aeb4cc6ae042fb895e5e2f880

Whilst the URL below, redirected by the 307, -does- work; https://test-bucket-garethsaxby-20210713-153159.s3.eu-west-2.amazonaws.com/i-089c1ec0c85524f5d//home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5QGXVMSCMPOQVZH3%2F20210713%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210713T151841Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18d520a539227540bef2ba06a6000dd6569c868aeb4cc6ae042fb895e5e2f880

If I force the plugin to use a regional endpoint for S3, and use a region when creating the client, as per my branch, it does work, albeit I'm not really sure -how- best to implement this to properly put a Pull Request together to fix the problem, given my branch feels like a really ugly hack.

Issue Type

Bug Report

Component Name

plugins/connection/aws_ssm

Ansible Version

ansible [core 2.11.2] 
  config file = None
  configured module search path = ['/Users/gsaxby/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/4.2.0/libexec/lib/python3.9/site-packages/ansible
  ansible collection location = /Users/gsaxby/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.6 (default, Jun 29 2021, 06:20:32) [Clang 12.0.0 (clang-1200.0.32.29)]
  jinja version = 3.0.1
  libyaml = True

Collection Versions

# /Users/gsaxby/.ansible/collections/ansible_collections
Collection           Version
-------------------- -------
amazon.aws           1.5.0  
ansible.netcommon    1.3.0  
ansible.posix        1.1.1  
community.aws        1.5.0  # Actually has been taken from main; I have shared my requirements.yml later on
community.general    1.3.0  
community.kubernetes 1.0.0  
google.cloud         1.0.1  

# /usr/local/Cellar/ansible/4.2.0/libexec/lib/python3.9/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    1.5.0  
ansible.netcommon             2.2.0  
ansible.posix                 1.2.0  
ansible.utils                 2.3.0  
ansible.windows               1.7.0  
arista.eos                    2.2.0  
awx.awx                       19.2.2 
azure.azcollection            1.7.0  
check_point.mgmt              2.0.0  
chocolatey.chocolatey         1.1.0  
cisco.aci                     2.0.0  
cisco.asa                     2.0.2  
cisco.intersight              1.0.15 
cisco.ios                     2.3.0  
cisco.iosxr                   2.3.0  
cisco.meraki                  2.4.2  
cisco.mso                     1.2.0  
cisco.nso                     1.0.3  
cisco.nxos                    2.4.0  
cisco.ucs                     1.6.0  
cloudscale_ch.cloud           2.2.0  
community.aws                 1.5.0  
community.azure               1.0.0  
community.crypto              1.7.1  
community.digitalocean        1.7.0  
community.docker              1.8.0  
community.fortios             1.0.0  
community.general             3.3.0  
community.google              1.0.0  
community.grafana             1.2.1  
community.hashi_vault         1.3.0  
community.hrobot              1.1.1  
community.kubernetes          1.2.1  
community.kubevirt            1.0.0  
community.libvirt             1.0.1  
community.mongodb             1.2.1  
community.mysql               2.1.0  
community.network             3.0.0  
community.okd                 1.1.2  
community.postgresql          1.3.0  
community.proxysql            1.0.0  
community.rabbitmq            1.0.3  
community.routeros            1.2.0  
community.skydive             1.0.0  
community.sops                1.1.0  
community.vmware              1.11.0 
community.windows             1.5.0  
community.zabbix              1.3.0  
containers.podman             1.6.1  
cyberark.conjur               1.1.0  
cyberark.pas                  1.0.7  
dellemc.enterprise_sonic      1.1.0  
dellemc.openmanage            3.5.0  
dellemc.os10                  1.1.1  
dellemc.os6                   1.0.7  
dellemc.os9                   1.0.4  
f5networks.f5_modules         1.10.1 
fortinet.fortimanager         2.1.2  
fortinet.fortios              2.1.1  
frr.frr                       1.0.3  
gluster.gluster               1.0.1  
google.cloud                  1.0.2  
hetzner.hcloud                1.4.3  
hpe.nimble                    1.1.3  
ibm.qradar                    1.0.3  
infinidat.infinibox           1.2.4  
inspur.sm                     1.2.0  
junipernetworks.junos         2.3.0  
kubernetes.core               1.2.1  
mellanox.onyx                 1.0.0  
netapp.aws                    21.2.0 
netapp.azure                  21.7.0 
netapp.cloudmanager           21.7.0 
netapp.elementsw              21.6.1 
netapp.ontap                  21.7.0 
netapp.um_info                21.6.0 
netapp_eseries.santricity     1.2.13 
netbox.netbox                 3.1.1  
ngine_io.cloudstack           2.1.0  
ngine_io.exoscale             1.0.0  
ngine_io.vultr                1.1.0  
openstack.cloud               1.5.0  
openvswitch.openvswitch       2.0.0  
ovirt.ovirt                   1.5.3  
purestorage.flasharray        1.8.0  
purestorage.flashblade        1.6.0  
sensu.sensu_go                1.11.1 
servicenow.servicenow         1.0.6  
splunk.es                     1.0.2  
t_systems_mms.icinga_director 1.18.0 
theforeman.foreman            2.1.1  
vyos.vyos                     2.3.1  
wti.remote                    1.0.1

AWS SDK versions

WARNING: Package(s) not found: boto
Name: boto3
Version: 1.17.110
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /usr/local/Cellar/ansible/4.2.0/libexec/lib/python3.9/site-packages
Requires: botocore, s3transfer, jmespath
Required-by: 
---
Name: botocore
Version: 1.20.110
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /usr/local/Cellar/ansible/4.2.0/libexec/lib/python3.9/site-packages
Requires: python-dateutil, urllib3, jmespath
Required-by: s3transfer, boto3

Configuration

INTERPRETER_PYTHON(/Users/gsaxby/Code/DOG/ansible-testing/ansible/ansible.cfg) = auto
INVENTORY_ENABLED(/Users/gsaxby/Code/DOG/ansible-testing/ansible/ansible.cfg) = ['amazon.aws.aws_ec2']

OS / Environment

Client: macOS Catalina 10.15.7, Ansible installed via Brew Remote: Amazon Linux 2, eu-west-2, ami-03ac5a9b225e99b02, amzn2-ami-hvm-2.0.20210701.0-x86_64-gp2

Steps to Reproduce

  1. Create a new S3 bucket. I believe this is crucial, as it needs to be returning 307's when using the global endpoint, as per this AWS knowledge centre article. 
    Region: eu-west-2
  2. Create the EC2 instance running the SSM agent. 
    Region: eu-west-2
AMI: ami-03ac5a9b225e99b02 (amzn2-ami-hvm-2.0.20210701.0-x86_64-gp2)
IAM Policy Attached: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Tags:
Name: ansible-ssm-testing
  3. Execute the ansible playbook as below:

requirements.yml:

---
collections:
- name: amazon.aws
  version: 1.5.0
- name: https://github.com/ansible-collections/community.aws.git
  type: git
  version: main

ansible.cfg:

[defaults]
interpreter_python = auto

[inventory]
enable_plugins = amazon.aws.aws_ec2

inventory.aws_ec2.yml:

# File name must end in `.aws_ec2.yml` otherwise the plugin will not read it
plugin: amazon.aws.aws_ec2
regions:
  - eu-west-2
filters:
  tag:Name: ansible-ssm-testing

playbook.yml

---
- hosts: all
  gather_facts: true
  vars:
    ansible_connection: aws_ssm
    ansible_aws_ssm_region: "eu-west-2"
    ansible_aws_ssm_instance_id: "{{ instance_id }}"
    ansible_aws_ssm_bucket_name: test-bucket-garethsaxby-20210713-153159
    ansible_python_interpreter: /usr/bin/python3
  tasks:
    - name: Ping Instance
      ansible.builtin.ping:
$ ansible-galaxy install -r requirements.yml --force
$ ansible-playbook -i inventory.aws_ec2.yml playbook.yml

Expected Results

I'm expecting the curl against the S3 signed URL on the remote host to pull down AnsiballZ_setup.py correctly and continue running the playbook, returning the ping successfully.

Actual Results

$ ansible-playbook -vvvv -i inventory.aws_ec2.yml playbook.yml
ansible-playbook [core 2.11.2] 
  config file = /Users/gsaxby/Code/DOG/ansible-testing/ansible/ansible.cfg
  configured module search path = ['/Users/gsaxby/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/4.2.0/libexec/lib/python3.9/site-packages/ansible
  ansible collection location = /Users/gsaxby/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.9.6 (default, Jun 29 2021, 06:20:32) [Clang 12.0.0 (clang-1200.0.32.29)]
  jinja version = 3.0.1
  libyaml = True
Using /Users/gsaxby/Code/DOG/ansible-testing/ansible/ansible.cfg as config file
setting up inventory plugins
Loading collection amazon.aws from /Users/gsaxby/.ansible/collections/ansible_collections/amazon/aws
Parsed /Users/gsaxby/Code/DOG/ansible-testing/ansible/inventory.aws_ec2.yml inventory source with ansible_collections.amazon.aws.plugins.inventory.aws_ec2 plugin
Loading callback plugin default of type stdout, v2.0 from /usr/local/Cellar/ansible/4.2.0/libexec/lib/python3.9/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: playbook.yml ********************************************************************************************************************************************
Positional arguments: playbook.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/Users/gsaxby/Code/DOG/ansible-testing/ansible/inventory.aws_ec2.yml',)
forks: 5
1 plays in playbook.yml

PLAY [all] ********************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************
task path: /Users/gsaxby/Code/DOG/ansible-testing/ansible/playbook.yml:2
redirecting (type: connection) ansible.builtin.aws_ssm to community.aws.aws_ssm
Loading collection community.aws from /Users/gsaxby/.ansible/collections/ansible_collections/community/aws
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> ESTABLISH SSM CONNECTION TO: i-089c1ec0c85524f5d
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> SSM COMMAND: ['/usr/local/bin/session-manager-plugin', '{"SessionId": "gareth-saxby-temp-072af2adf96185184", "TokenValue": "AAEAAQl1UTpN1tP3cQsnNCTUvKP/y0eAIq8BgKoOVgNzAN4aAAAAAGDtrs9TgYC1XyDzkw5Y6le3Wt9fzFIXrw2thaxAz8Gvts868wSMlpFm+M7syYnedzJfgOMUIxN9/PDA/ph9qL8qZocUy9IdVmBC9oO6Z/yQr94sVYVvWvVHGFY3k9O/9oO8Eklc4SN6r2pl2Mmj3bFKDxH1mbTv15Fks3ieMIiZyxahkg2rwCxFplua+nFlja3w9bQVl+LUXogw19V9MNjy2UrrUiXSMWhwKPPE6Y/VWOgZrNu72mg2mbvAvRKjCV+hZ2vBSt7WZ+gKfGV/U3yUAEEUtnNIsCJz3fAUPlZXUKnIVnviMNL0HnBZzE1YA3BwtbF8R0390a0dNuQuMqrTzrOHI4hJVL0oDBnMXAISZaJ1UUFJ4L5jYMuwVHa8dJA2d4w=", "StreamUrl": "wss://ssmmessages.eu-west-2.amazonaws.com/v1/data-channel/gareth-saxby-temp-072af2adf96185184?role=publish_subscribe", "ResponseMetadata": {"RequestId": "4c322e4e-e0c8-4384-92e3-323414253881", "HTTPStatusCode": 200, "HTTPHeaders": {"server": "Server", "date": "Tue, 13 Jul 2021 15:18:39 GMT", "content-type": "application/x-amz-json-1.1", "content-length": "642", "connection": "keep-alive", "x-amzn-requestid": "4c322e4e-e0c8-4384-92e3-323414253881"}, "RetryAttempts": 0}}', 'eu-west-2', 'StartSession', '', '{"Target": "i-089c1ec0c85524f5d"}', 'https://ssm.eu-west-2.amazonaws.com']
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> SSM CONNECTION ID: gareth-saxby-temp-072af2adf96185184
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC echo ~
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> _wrap_command: 'echo IlyexxlDYKICMeyOVUZQHcnTAj
echo ~
echo $'\n'$?
echo qIhbHBrlBzTeHjwGNvWljDHeGw
'
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: Starting session with SessionId: gareth-saxby-temp-072af2adf96185184
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: sh-4.2$ stty -echo
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: sh-4.2$ IlyexxlDYKICMeyOVUZQHcnTAj
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: /home/ssm-user
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: qIhbHBrlBzTeHjwGNvWljDHeGw
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> POST_PROCESS: /home/ssm-user

0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> (0, '/home/ssm-user\r\r', '')
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC ( umask 77 && mkdir -p "` echo /home/ssm-user/.ansible/tmp `"&& mkdir "` echo /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193 `" && echo ansible-tmp-1626189520.659307-19800-45563405192193="` echo /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193 `" )
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> _wrap_command: 'echo wzCNiIYognSiHXqfCJMBRaRvKS
( umask 77 && mkdir -p "` echo /home/ssm-user/.ansible/tmp `"&& mkdir "` echo /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193 `" && echo ansible-tmp-1626189520.659307-19800-45563405192193="` echo /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193 `" )
echo $'\n'$?
echo CqzxJpqOSlFCtzcRaDElqmzLuB
'
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: wzCNiIYognSiHXqfCJMBRaRvKS
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: ansible-tmp-1626189520.659307-19800-45563405192193=/home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: CqzxJpqOSlFCtzcRaDElqmzLuB
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> POST_PROCESS: ansible-tmp-1626189520.659307-19800-45563405192193=/home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193

0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> (0, 'ansible-tmp-1626189520.659307-19800-45563405192193=/home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193\r\r', '')
Using module file /usr/local/Cellar/ansible/4.2.0/libexec/lib/python3.9/site-packages/ansible/modules/setup.py
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> PUT /Users/gsaxby/.ansible/tmp/ansible-local-19794ck3x4sje/tmpyrhzimx3 TO /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC curl 'https://test-bucket-garethsaxby-20210713-153159.s3.amazonaws.com/i-089c1ec0c85524f5d//home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5QGXVMSCMPOQVZH3%2F20210713%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210713T151841Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18d520a539227540bef2ba06a6000dd6569c868aeb4cc6ae042fb895e5e2f880' -o '/home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py'
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> _wrap_command: 'echo YBqOPfzvxcGDqXREpbYSUvrIeG
curl 'https://test-bucket-garethsaxby-20210713-153159.s3.amazonaws.com/i-089c1ec0c85524f5d//home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5QGXVMSCMPOQVZH3%2F20210713%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210713T151841Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18d520a539227540bef2ba06a6000dd6569c868aeb4cc6ae042fb895e5e2f880' -o '/home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py'
echo $'\n'$?
echo dfIOAXVAOIcrDMPKZdUkrKCwKw
'
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: YBqOPfzvxcGDqXREpbYSUvrIeG
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line:                                  Dload  Upload   Total   Spent    Left  Speed
100   509    0   509    0     0   1641      0 --:--:-- --:--:-- --:--:--  1641
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: dfIOAXVAOIcrDMPKZdUkrKCwKw
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> POST_PROCESS:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   509    0   509    0     0   1641      0 --:--:-- --:--:-- --:--:--  1641

0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> (0, '  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\r\r\n                                 Dload  Upload   Total   Spent    Left  Speed\r\r\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100   509    0   509    0     0   1641      0 --:--:-- --:--:-- --:--:--  1641\r\r', '')
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> (0, '  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\r\r\n                                 Dload  Upload   Total   Spent    Left  Speed\r\r\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100   509    0   509    0     0   1641      0 --:--:-- --:--:-- --:--:--  1641\r\r', '')
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC chmod u+x /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/ /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> _wrap_command: 'echo xgTDBjuFPZtDfVuwGaZyflDWjV
chmod u+x /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/ /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py
echo $'\n'$?
echo xOHqRiUNImldbBrdKmcVWrfEEd
'
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: xgTDBjuFPZtDfVuwGaZyflDWjV
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: xOHqRiUNImldbBrdKmcVWrfEEd
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> POST_PROCESS: 
0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> (0, '\r', '')
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC /usr/bin/python3 /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> _wrap_command: 'echo gzDaIZxdrfBqdBvcQHhExANgdr
sudo /usr/bin/python3 /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py
echo $'\n'$?
echo CtSWJSGjdVuhayekdfLdqRalyk
'
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: gzDaIZxdrfBqdBvcQHhExANgdr
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line:   File "/home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py", line 1
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line:     <?xml version="1.0" encoding="UTF-8"?>
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line:     ^
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: SyntaxError: invalid syntax
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 1
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: CtSWJSGjdVuhayekdfLdqRalyk
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> POST_PROCESS:   File "/home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py", line 1
    <?xml version="1.0" encoding="UTF-8"?>
    ^
SyntaxError: invalid syntax

1
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> (1, '  File "/home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py", line 1\r\r\n    <?xml version="1.0" encoding="UTF-8"?>\r\r\n    ^\r\r\nSyntaxError: invalid syntax\r\r', '')
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC rm -f -r /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/ > /dev/null 2>&1
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> _wrap_command: 'echo JARmCoxpzNaNaBblIFeROdZYey
rm -f -r /home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/ > /dev/null 2>&1
echo $'\n'$?
echo BifmuhtspkBDKrtrAJmsOZBxKg
'
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: JARmCoxpzNaNaBblIFeROdZYey
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: 0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> EXEC stdout line: BifmuhtspkBDKrtrAJmsOZBxKg
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> POST_PROCESS: 
0
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> (0, '\r', '')
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> CLOSING SSM CONNECTION TO: i-089c1ec0c85524f5d
<ec2-52-56-84-142.eu-west-2.compute.amazonaws.com> TERMINATE SSM SESSION: gareth-saxby-temp-072af2adf96185184
fatal: [ec2-52-56-84-142.eu-west-2.compute.amazonaws.com]: FAILED! => {
    "ansible_facts": {},
    "changed": false,
    "failed_modules": {
        "ansible.legacy.setup": {
            "failed": true,
            "module_stderr": "",
            "module_stdout": "  File \"/home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py\", line 1\r\r\n    <?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\r\n    ^\r\r\nSyntaxError: invalid syntax\r\r",
            "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
            "rc": 1
        }
    },
    "msg": "The following modules failed to execute: ansible.legacy.setup\n"
}

PLAY RECAP ********************************************************************************************************************************************************
ec2-52-56-84-142.eu-west-2.compute.amazonaws.com : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

When I curl the signed URL from the remote instance using SSM Session Manager, I get the following response, showing that a 307 is being returned and I'm being redirected to the regional endpoint:

$ curl -i "https://test-bucket-garethsaxby-20210713-153159.s3.amazonaws.com/i-089c1ec0c85524f5d//home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5QGXVMSCMPOQVZH3%2F20210713%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210713T151841Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18d520a539227540bef2ba06a6000dd6569c868aeb4cc6ae042fb895e5e2f880"
HTTP/1.1 307 Temporary Redirect
x-amz-bucket-region: eu-west-2
x-amz-request-id: 6077E9R1H8G7Z0S1
x-amz-id-2: OU6kvbWvdu79rmzjEa8YpVK8z1X5J0y1axM9o0bsEvQyA6vvdY+xZZDJFdUwez4leqMV5UUzxUw=
Location: https://test-bucket-garethsaxby-20210713-153159.s3.eu-west-2.amazonaws.com/i-089c1ec0c85524f5d//home/ssm-user/.ansible/tmp/ansible-tmp-1626189520.659307-19800-45563405192193/AnsiballZ_setup.py?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5QGXVMSCMPOQVZH3%2F20210713%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210713T151841Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18d520a539227540bef2ba06a6000dd6569c868aeb4cc6ae042fb895e5e2f880
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 13 Jul 2021 15:21:02 GMT
Server: AmazonS3

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>TemporaryRedirect</Code><Message>Please re-send this request to the specified temporary endpoint. Continue to use the original request endpoint for future requests.</Message><Endpoint>test-bucket-garethsaxby-20210713-153159.s3.eu-west-2.amazonaws.com</Endpoint><Bucket>test-bucket-garethsaxby-20210713-153159</Bucket><RequestId>6077E9R1H8G7Z0S1</RequestId><HostId>OU6kvbWvdu79rmzjEa8YpVK8z1X5J0y1axM9o0bsEvQyA6vvdY+xZZDJFdUwez4leqMV5UUzxUw=</HostId></Error>

Code of Conduct

ansibullbot commented 3 years ago

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

garethsaxby commented 3 years ago

Closing this temporarily as I think I need to revisit some of this first, apologies!

To be more specific; the errors are still happening, but my determination of the cause may not be right, and I want to dig into that more before someone else starts looking.

EDIT: I've reopened the issue now, as I've realised that I was just confusing myself a bit reading the fix I'd hacked together myself. The issue is still present when using the latest main from this repository.

ansibullbot commented 3 years ago

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

markuman commented 3 years ago

@garethsaxby thx for the detailed report!

Sadly I'm not familiar with ssm connection plugin.

If I force the plugin to use a regional endpoint for S3, and use a region when creating the client, as per my branch, it does work, albeit I'm not really sure -how- best to implement this to properly put a Pull Request together to fix the problem, given my branch feels like a really ugly hack.

There is a similar PR (not merged yet) that introduce a bucket_region parameter: https://github.com/ansible-collections/community.aws/pull/603/files#diff-8000d7fb9262e11565b61882567d729fe0958cd9b1a0105683d5bbe0e5b4e585R51
You can try to introduce that too

        if bucket_region:
            client = session.client(
                service,
                config=Config(signature_version="s3v4"),
                endpoint_url=f'https://s3.{bucket_region}.amazonaws.com'
            )
        else:
            client = session.client(
                service,
                config=Config(signature_version="s3v4")
            )
atul-chegg commented 3 years ago

I also confirm this issue. I think a issue fix would be to use '-L' option with curl.

ryancabrera commented 2 years ago

I'm definitely having issues with bucket regions and encrypted buckets too.

bodnarbm commented 2 years ago

I hit this issue yesterday when attempting to use the aws ssm connection with using a newly created bucket in us-east-2 yesterday. Can we reopen this issue?

The referenced PR in the close action above (https://github.com/ansible-collections/community.aws/pull/1176) does not seem to resolve this particular issue. That PR was targeting a fix for pulling the region information for the S3 bucket used for SSM file transfers from the bucket metadata itself, but the pre-signed URLs generated for the S3 downloads are still pointing at the global S3 endpoint, and not the region specific one.

Thus, attempting to use the ssm plugin with a newly created transfer bucket in a region like us-east-2 continues to return the presigned URLs targeting the global S3 endpoint, which results in the 307 redirect to the regional endpoint, which then causes the presigned URL to fail with a signature mismatch error as the url was signed for the global endpoint and not the regional endpoint. I believe that #1190 needs to be further addressed to resolve this issue.

charles-paul-mox commented 2 years ago

Hi @bodnarbm please see https://github.com/ansible-collections/community.aws/pull/743/files to use virtual addressing. There is a PR from @phene but that relies on a hardcoded region to be defined.

bodnarbm commented 2 years ago

@charles-paul-mox Thank you, but that pr looks to be closed unmerged and I would prefer to not patch the plugin separately (if I was I would probably add the s3 client endpoint url as a separate variable, that way I could also get it to work with other endpoints also (like fips endpoints))

I'm hoping that someone like @tremble could reopen this issue though.

charles-paul-mox commented 2 years ago

Yes, I cannot merge PRs due to company policies. The virtual addressing is the important part.

phene commented 2 years ago

@charles-paul-mox My PR doesn't rely on a hard-coded region unless you are using a non-default partition like GovCloud. It uses the default global region just to query information about the S3 bucket's region, then uses the bucket's region from there on.

piotrkochan commented 1 year ago

Any real resolution to this problem? I'm using 5.1.0 release and there is still issue with AnsiballZ file:

sh-4.2$ cat AnsiballZ_yum.py
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>TemporaryRedirect</Code><Message>Please re-send this request to the specified temporary endpoint. Continue to use the original request endpoint for future requests.</Message><Endpoint>testbucketkochan.s3.eu-west-3.amazonaws.com</Endpoint><Bucket>testbucketkochan</Bucket><RequestId>W5B7ZAZZ........</RequestId><HostId>DR//pSU97KgA8ZLVD/............................+lC/xwAuIBO/W4RuWIXqyFp+MZj0ZuI=</HostId><sh-4.2$
ThilinaPrasad commented 1 year ago

Any solution for this ?

ThilinaPrasad commented 1 year ago

Cause: This is mainly because of the TemporaryRedirect error from AWS s3 with the resigned URL. due to this when we transfer the setup.py file from host to remote it will download with below content on the remote.

<?xml version="1.0" encoding="UTF-8"?>

TemporaryRedirectPlease re-send this request to the specified temporary endpoint. Continue to use the original request endpoint for future requests.enactortestssm123.s3.us-east-2.amazonaws.comenactortestssm123RZYTVTWNVV6V0ET1jDf+7m1brAHn98LcbqJXDHfraqX5i4DadfixrNM+qqEu3abyB67zLMYK9o/+6lU+Y3jwg/KtQ30=

to avoid this you can modify _get_boto_client() function client initializing as below to support addressing_style virtual for s3. Thanks! Feel free to correct me.

client = session.client( service, config=Config(signature_version="s3v4", s3={'addressing_style': 'virtual'}) )