zswanson
commented
4 years ago I think this is the cause of similar problems we're seeing today where the ansible plugin reverts to using the default credstash table name 'credential-store' which doesn't exist in our environment. (We pass the lookup a variable 'credential_store' with the actual table name)
AnsibleError: An unhandled exception occurred while templating '{{ lookup('credstash', 'XXXXXXX', table=credential_store, region=aws_region) }}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'credstash'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Encountered exception while fetching XXXXXXX: An error occurred (AccessDeniedException) when calling the Query operation: User: XXXXXXXXXX is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:XXXXXXXXXX \:table/credential-store
mike-luminal
After upgrading to the latest credstash Version 0.17.0 on our Ansibel deployment server we get following error:
After digging in deeper into the mechanism of the Ansible lookup plugin and how it calls credstash, I found the culprit. With the PR #268 the parameter order of
getSecret()was changed and the Ansible plugin uses positional arguments instead of named. So, basically the latest version breaks the usage of positional arguments for everyone. I think it would be a good idea to move the new parameterkms_regionto the end of the function call. Same goes for all the other functions probably too. I'm happy to add a PR to fix the problem, but I don't want to waste my time, if you are not willing to apply that change.