search

caktus / ansible-role-django-k8s

Ansible role with sane defaults to deploy a Django app to Kubernetes.
BSD 3-Clause "New" or "Revised" License
3 stars 1 forks source link

"Attach inline policy to user" (aws_s3.yml task) fails when using assumed IAM role #29

Open copelco opened 4 years ago

copelco commented 4 years ago

As far as I can tell, Ansible's iam_policy module doesn't work with an assumed IAM role due to a limitation of the underlying boto library.

This gist provides a workaround, which works by just running assumed-role-credentials.py before running the playbook which calls the aws_s3.yml tasks.

copelco commented 4 years ago

Maybe sts_assume_role could be used to obtain temporary access credentials before the iam_policy call.

copelco commented 4 years ago

Example script to add to local project:

# deploy/boto-temporary-creds.py
import boto3, sys

session = boto3.Session(profile_name="MY-PROJECT-AWSCLI-PROFILE")
credentials = session.get_credentials().get_frozen_credentials()

print(f'export AWS_ACCESS_KEY_ID="{credentials.access_key}"')
print(f'export AWS_SECRET_ACCESS_KEY="{credentials.secret_key}"')
print(f'export AWS_SECURITY_TOKEN="{credentials.token}"')
print(f'export AWS_SESSION_TOKEN="{credentials.token}"')

Then:

python boto-temporary-creds.py
# copy printed export statements and run in shell
export AWS_ACCESS_KEY_ID="..."
# ...
# now run Ansible playbook that failed
ansible-playbook deploy...
vkurup commented 3 years ago

I can confirm the same issue when I tried to move the CI IAM user creation to this role.

Here was my initial traceback. 

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: boto.provider.ProfileNotFoundError: Profile "saguaro-cluster" not found!
fatal: [staging]: FAILED! => changed=false 
  module_stderr: |-
    Traceback (most recent call last):
      File "/home/vkurup/.ansible/tmp/ansible-tmp-1611955984.4850554-685814-113242977458548/AnsiballZ_iam.py", line 102, in <module>
        _ansiballz_main()
      File "/home/vkurup/.ansible/tmp/ansible-tmp-1611955984.4850554-685814-113242977458548/AnsiballZ_iam.py", line 94, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/vkurup/.ansible/tmp/ansible-tmp-1611955984.4850554-685814-113242977458548/AnsiballZ_iam.py", line 40, in invoke_module
        runpy.run_module(mod_name='ansible_collections.community.aws.plugins.modules.iam', init_globals=None, run_name='__main__', alter_sys=True)
      File "/home/vkurup/.pyenv/versions/3.9.0/lib/python3.9/runpy.py", line 210, in run_module
        return _run_module_code(code, init_globals, run_name, mod_spec)
      File "/home/vkurup/.pyenv/versions/3.9.0/lib/python3.9/runpy.py", line 97, in _run_module_code
        _run_code(code, mod_globals, init_globals,
      File "/home/vkurup/.pyenv/versions/3.9.0/lib/python3.9/runpy.py", line 87, in _run_code
        exec(code, run_globals)
      File "/tmp/ansible_iam_payload_4h5g948t/ansible_iam_payload.zip/ansible_collections/community/aws/plugins/modules/iam.py", line 869, in <module>
      File "/tmp/ansible_iam_payload_4h5g948t/ansible_iam_payload.zip/ansible_collections/community/aws/plugins/modules/iam.py", line 708, in main
      File "/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/boto/iam/connection.py", line 66, in __init__
        super(IAMConnection, self).__init__(aws_access_key_id,
      File "/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/boto/connection.py", line 1091, in __init__
        super(AWSQueryConnection, self).__init__(
      File "/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/boto/connection.py", line 551, in __init__
        self.provider = Provider(self._provider_type,
      File "/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/boto/provider.py", line 201, in __init__
        self.get_credentials(access_key, secret_key, security_token, profile_name)
      File "/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/boto/provider.py", line 296, in get_credentials
        raise ProfileNotFoundError('Profile "%s" not found!' %
    boto.provider.ProfileNotFoundError: Profile "saguaro-cluster" not found!

Then when I switched my [default] profile to use my assume-role creds, I got this error:

TASK [caktus.django-k8s : Create CI user] *************************************************************************************************************************************************************************
task path: /home/vkurup/dev/ansible-role-django-k8s/tasks/aws_ci.yml:12
<staging> ESTABLISH LOCAL CONNECTION FOR USER: vkurup
<staging> EXEC /bin/sh -c 'echo ~vkurup && sleep 0'
<staging> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/vkurup/.ansible/tmp `"&& mkdir "` echo /home/vkurup/.ansible/tmp/ansible-tmp-1611957437.7826958-689522-184058437163028 `" && echo ansible-tmp-1611957437.7826958-689522-184058437163028="` echo /home/vkurup/.ansible/tmp/ansible-tmp-1611957437.7826958-689522-184058437163028 `" ) && sleep 0'
redirecting (type: modules) ansible.builtin.iam to community.aws.iam
Loading collection amazon.aws from /home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/ansible_collections/amazon/aws
Using module file /home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/ansible_collections/community/aws/plugins/modules/iam.py
<staging> PUT /home/vkurup/.ansible/tmp/ansible-local-689424kim03r1d/tmp42nb4ph0 TO /home/vkurup/.ansible/tmp/ansible-tmp-1611957437.7826958-689522-184058437163028/AnsiballZ_iam.py
<staging> EXEC /bin/sh -c 'chmod u+x /home/vkurup/.ansible/tmp/ansible-tmp-1611957437.7826958-689522-184058437163028/ /home/vkurup/.ansible/tmp/ansible-tmp-1611957437.7826958-689522-184058437163028/AnsiballZ_iam.py && sleep 0'
<staging> EXEC /bin/sh -c '/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/bin/python3.9 /home/vkurup/.ansible/tmp/ansible-tmp-1611957437.7826958-689522-184058437163028/AnsiballZ_iam.py && sleep 0'
<staging> EXEC /bin/sh -c 'rm -f -r /home/vkurup/.ansible/tmp/ansible-tmp-1611957437.7826958-689522-184058437163028/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/tmp/ansible_iam_payload_lu1058d0/ansible_iam_payload.zip/ansible_collections/community/aws/plugins/modules/iam.py", line 708, in main
  File "/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/boto/iam/connection.py", line 66, in __init__
    super(IAMConnection, self).__init__(aws_access_key_id,
  File "/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/boto/connection.py", line 1091, in __init__
    super(AWSQueryConnection, self).__init__(
  File "/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/boto/connection.py", line 568, in __init__
    self._auth_handler = auth.get_auth_handler(
  File "/home/vkurup/.pyenv/versions/3.9.0/envs/philly-hip/lib/python3.9/site-packages/boto/auth.py", line 1018, in get_auth_handler
    raise boto.exception.NoAuthHandlerFound(
fatal: [staging]: FAILED! => changed=false 
  invocation:
    module_args:
      access_key_ids: null
      access_key_state: null
      aws_access_key: null
      aws_ca_bundle: null
      aws_config: null
      aws_secret_key: null
      debug_botocore_endpoint_logs: false
      ec2_url: null
      groups: null
      iam_type: user
      key_count: 1
      name: hip-staging-ci-user
      new_name: null
      new_path: null
      password: null
      path: /
      profile: null
      region: null
      security_token: null
      state: present
      trust_policy: null
      trust_policy_filepath: null
      update_password: always
      validate_certs: true
  msg: No handler was ready to authenticate. 1 handlers were checked. ['HmacAuthV4Handler'] Check your credentials

Running the boto-temporary-creds.py script, exporting those variables and then re-running the deploy works.