Closed andyshinn closed 1 year ago
I've run into this as well -- it appears that ssm is invoking python with sudo every single time, which is not ideal. I've tried:
become: false
and
become: true
become_user: someone_else
and they appear to have no affect. Of course if I remove ssm-user's ability to sudo
, the command fails (and waits forever for output that never arrives).
(edit) By default, the user always does seem to be root
, regardless of ansible_user
. I discovered the below works given a caveat.
become: true
become_user: someone_else
If ansible_user
is set, the Become plugin will not work if ansible_user == become_user
, https://github.com/ansible/ansible/blob/v2.13.2/lib/ansible/plugins/action/__init__.py#L1287.
buser != ruser
For ansible-core < 2.13, ansible_user
was being inferred and interpreted as the locally running user, e.g. mtraynham
, which works for me, because mtraynham != ubuntu
. For ansible-core >= 2.13, this was fixed and started accepting the defined inventory ansible_user
, which I had previously set ansible_user = 'ubuntu'
and therefore, ansible_user == become_user
and it was ignoring the become
.
Thus, with AWS SSM, avoid using ansible_user
because it's ignored and always uses root
. become_user
works with the sudo become plugin.
Documentation below is my prior findings.
However, using community.aws==4.0.0
, the following works with ansible-core==2.12.7
, but not with ansible-core>=2.13.0
.
become: true
become_user: someone_else
I'm not sure where the change is in the upstream ansible project, but I suspect it must have to do with either the sudo
Become plugin or the ConnectionBase
plugin. It seems as if the sudo become plugin is entirely disabled or just not annotating the request.
Using the following:
ansible amd64 --become --become-user=ubuntu -a "whoami" -vvvvv
On 2.12.7, I see:
<amd64> EXEC stdout line: yGRnJaHsrnCiXmXASnyqakmwVH
<amd64> EXEC stdout line: % Total % Received % Xferd Average Speed Time Time Time Current
<amd64> EXEC stdout line: Dload Upload Total Spent Left Speed
100 128k 100 128k 0 0 1397k 0 --:--:-- --:--:-- --:--:-- 1397k
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: qrzrHWzbluDBJfSlfWNkFbjpbN
<amd64> POST_PROCESS: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 128k 100 128k 0 0 1397k 0 --:--:-- --:--:-- --:--:-- 1397k
0
<amd64> (0, ' % Total % Received % Xferd Average Speed Time Time Time Current\r\r\n Dload Upload Total Spent Left Speed\r\r\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 128k 100 128k 0 0 1397k 0 --:--:-- --:--:-- --:--:-- 1397k\r\r', '')
<amd64> (0, ' % Total % Received % Xferd Average Speed Time Time Time Current\r\r\n Dload Upload Total Spent Left Speed\r\r\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 128k 100 128k 0 0 1397k 0 --:--:-- --:--:-- --:--:-- 1397k\r\r', '')
<amd64> EXEC setfacl -m u:ubuntu:r-x /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/ /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/AnsiballZ_command.py
<amd64> _wrap_command: 'echo lrVPiGTEJVHVyHQnqssjWExZWB
setfacl -m u:ubuntu:r-x /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/ /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/AnsiballZ_command.py
echo $'\n'$?
echo KeQxBOMAEzlwIoBrTBPsuwhaiQ
'
<amd64> EXEC stdout line: lrVPiGTEJVHVyHQnqssjWExZWB
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: KeQxBOMAEzlwIoBrTBPsuwhaiQ
<amd64> POST_PROCESS:
0
<amd64> (0, '\r', '')
<amd64> EXEC sudo -H -S -n -u ubuntu /bin/sh -c 'echo BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje ; /usr/bin/python3 /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/AnsiballZ_command.py'
<amd64> _wrap_command: 'echo RTuXRTjmLqlSOcYlinIPXltvzK
sudo sudo -H -S -n -u ubuntu /bin/sh -c 'echo BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje ; /usr/bin/python3 /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/AnsiballZ_command.py'
echo $'\n'$?
echo cgxtpYBvgeezTlZKIwIbzIZotk
'
<amd64> EXEC stdout line: RTuXRTjmLqlSOcYlinIPXltvzK
<amd64> EXEC stdout line: BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: {"changed": true, "stdout": "ubuntu", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:36:24.039039", "end": "2022-08-04 15:36:24.042784", "delta": "0:00:00.003745", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: cgxtpYBvgeezTlZKIwIbzIZotk
<amd64> POST_PROCESS: BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje
{"changed": true, "stdout": "ubuntu", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:36:24.039039", "end": "2022-08-04 15:36:24.042784", "delta": "0:00:00.003745", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}
0
<amd64> (0, 'BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje\r\r\n\r\r\n{"changed": true, "stdout": "ubuntu", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:36:24.039039", "end": "2022-08-04 15:36:24.042784", "delta": "0:00:00.003745", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}\r\r', '')
<amd64> EXEC rm -f -r /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/ > /dev/null 2>&1
<amd64> _wrap_command: 'echo tlJKzYxkcNbutfjSmaztdWxQOn
rm -f -r /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/ > /dev/null 2>&1
echo $'\n'$?
echo QBdNfHbHZvFADEaQDwEyUKEHRe
'
<amd64> EXEC stdout line: tlJKzYxkcNbutfjSmaztdWxQOn
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: QBdNfHbHZvFADEaQDwEyUKEHRe
<amd64> POST_PROCESS:
0
<amd64> (0, '\r', '')
<amd64> CLOSING SSM CONNECTION TO: i-foooobarrrrrrr
<amd64> TERMINATE SSM SESSION: 1659627378415358908-0be982b51e3d599b3
amd64 | CHANGED | rc=0 >>
ubuntu
But with 2.13.0, I see:
<amd64> EXEC stdout line: xzMuUzMNqHwHpSbJfaBWyxHlXk
<amd64> EXEC stdout line: % Total % Received % Xferd Average Speed Time Time Time Current
<amd64> EXEC stdout line: Dload Upload Total Spent Left Speed
100 129k 100 129k 0 0 1820k 0 --:--:-- --:--:-- --:--:-- 1846k
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: fRriafsHDbKxlsNXflrsRfNkFp
<amd64> POST_PROCESS: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 129k 100 129k 0 0 1820k 0 --:--:-- --:--:-- --:--:-- 1846k
0
<amd64> (0, ' % Total % Received % Xferd Average Speed Time Time Time Current\r\r\n Dload Upload Total Spent Left Speed\r\r\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 129k 100 129k 0 0 1820k 0 --:--:-- --:--:-- --:--:-- 1846k\r\r', '')
<amd64> (0, ' % Total % Received % Xferd Average Speed Time Time Time Current\r\r\n Dload Upload Total Spent Left Speed\r\r\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 129k 100 129k 0 0 1820k 0 --:--:-- --:--:-- --:--:-- 1846k\r\r', '')
<amd64> EXEC chmod u+x /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/ /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/AnsiballZ_command.py
<amd64> _wrap_command: 'echo NLOFBJSpPZrOmppYMYMEjZeEAi
chmod u+x /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/ /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/AnsiballZ_command.py
echo $'\n'$?
echo YtkFHtXrXFvLomjOuiLlKeYBfi
'
<amd64> EXEC stdout line: NLOFBJSpPZrOmppYMYMEjZeEAi
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: YtkFHtXrXFvLomjOuiLlKeYBfi
<amd64> POST_PROCESS:
0
<amd64> (0, '\r', '')
<amd64> EXEC /usr/bin/python3 /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/AnsiballZ_command.py
<amd64> _wrap_command: 'echo HyqCfmJjriNxjfNbLldzMTjrLi
sudo /usr/bin/python3 /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/AnsiballZ_command.py
echo $'\n'$?
echo ERFJmIxGphNBUQcMVFdKOIerLX
'
<amd64> EXEC stdout line: HyqCfmJjriNxjfNbLldzMTjrLi
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: {"changed": true, "stdout": "root", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:39:23.566282", "end": "2022-08-04 15:39:23.570094", "delta": "0:00:00.003812", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: ERFJmIxGphNBUQcMVFdKOIerLX
<amd64> POST_PROCESS:
{"changed": true, "stdout": "root", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:39:23.566282", "end": "2022-08-04 15:39:23.570094", "delta": "0:00:00.003812", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}
0
<amd64> (0, '\r\r\n{"changed": true, "stdout": "root", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:39:23.566282", "end": "2022-08-04 15:39:23.570094", "delta": "0:00:00.003812", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}\r\r', '')
<amd64> EXEC rm -f -r /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/ > /dev/null 2>&1
<amd64> _wrap_command: 'echo QhiCwGzddFOrmxNtUXzsEFkFat
rm -f -r /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/ > /dev/null 2>&1
echo $'\n'$?
echo scPRPnJYpRRVhMaDEKUeubXVaz
'
<amd64> EXEC stdout line: QhiCwGzddFOrmxNtUXzsEFkFat
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: scPRPnJYpRRVhMaDEKUeubXVaz
<amd64> POST_PROCESS:
0
<amd64> (0, '\r', '')
<amd64> CLOSING SSM CONNECTION TO: i-foooobarrrrrrr
<amd64> TERMINATE SSM SESSION: 1659627557575920425-091a376c8a7e21c36
amd64 | CHANGED | rc=0 >>
root
I came across this issue today as well. I'm pretty sure is the same case since I'm running ansible as "runner" user and the target host I'm trying to access also has a become_user statement as the "runner" user. Running latest ansible core and latest community.aws
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html
With SSM the user you connect as is controlled by the SSM agent as installed on the target host. This is simply how the SSM agent works. By default this initial user will be the ssm-agent
user. Since it's controlled by the target host side the plugin currently ignores the ansible_user
.
Once connected, Ansible defaults to running sudo to become the root
user. If you want to run commands as another user become_user
would be correct way to select the user. While we could mangle things and also use sudo to switch from the SSM user to ansible_user
this would be somewhat misleading as folks might think that they're connecting in directly as ansible_user
rather than becoming that user.
I'm going to keep this issue open as a documentation bug. However, I don't think it's correct to change the behaviour from today's behaviour.
With SSM the user you connect as is controlled by the SSM agent as installed on the target host. This is simply how the SSM agent works. By default this initial user will be the ssm-agent user. Since it's controlled by the target host side the plugin currently ignores the ansible_user.
I use SSM on the command line daily and it uses the user I specify on command line. As previously mentioned it looks like this was also working as desired in a previous version. That doesn't sound like a documentation bug to me. But if that is the decision going forwards then I will work around it.
If you've got it working then feel free to supply example commands. I'll concede that the AWS documentation isn't the greatest and it's possible I've overlooked something.
The only documentation I can find that refers to managing which user you connect as talks about needing to apply the "SSMSessionRunAs" tag to IAM Users/Roles and doesn't talk about selecting the user on the fly.
Please note: that the plugin is using SSM sessions, not SSM commands.
I ran across this problem when experimenting with the aws_ssm connection plugin. I am running ansible v2.9.25 and noticed that many of my playbooks that run fine over SSH were failing with errors when run with aws_ssm.
I dug into the source of aws_ssm and to me it seems aws_ssm is incorrectly prepending sudo when sudoable=True is being passed.
From my testing, sudoable=True is sent even when become is not being used. For example the facts modules will send sudoable=True even though become is not used. This causes facts to come back for "root" instead of the login user.
Removing the if statement in _wrap_command that prepends sudo has fixed the issue for me completely. My tasks that run with become still run sudo appropriately, and all my others do not.
While reading over the docs in ansible 2.9.25 for ConnectionBase it mentions that sudoable is a flag to tell the connection plugin that become is being used. I interpret that to mean become is being handled elsewhere, and should not be done in the connection plugin.
All of that said I am running aws_ssm (5.2.0) on an old version of ansible (2.9.25) so this fix may not be appropriate for general use.
Summary
When using the
aws_ssm
connection plugin the user always seems to be root. When running commands that create files (such ascommunity.general.bundler
) they become owned as root. The executed commands appear to be run using sudo as opposed to a regular connection.Issue Type
Bug Report
Component Name
aws_ssm
Ansible Version
Collection Versions
AWS SDK versions
Configuration
OS / Environment
Controller: Ubuntu 20.04 Host: Ubuntu 20.04
Steps to Reproduce
Expected Results
Environment should have the user I connect with as
USER
:Actual Results
User is
root
with sudo tomyuser
.Code of Conduct