From 08c4164e4219d19a6f83cafb5bf4de8e1cf11b10 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Sat, 9 Jul 2022 22:31:47 +0200 Subject: [PATCH] kms_key_info - improve AccessDeniedException handing (#1332) kms_key_info - improve AccessDeniedException handing SUMMARY fixes: #206 Because KMS doesn't support server-side filtering of keys we have to pull full metadata for all KMS keys unless querying a specific key. This can result in additional permission denied errors, even though we may have permissions to read many of the keys. Try to handle AccessDeniedException more liberally. ISSUE TYPE Bugfix Pull Request COMPONENT NAME kms_key_info ADDITIONAL INFORMATION Reviewed-by: Joseph Torcasso This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/5e1466e90e224b051d335bf2e17e47cc97d4ed8d --- plugins/modules/kms_key_info.py | 14 ++++++++++++-- .../kms_key/roles/aws_kms/tasks/test_grants.yml | 4 ++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/plugins/modules/kms_key_info.py b/plugins/modules/kms_key_info.py index b9ecf80fcc3..1ba01e50d61 100644 --- a/plugins/modules/kms_key_info.py +++ b/plugins/modules/kms_key_info.py @@ -435,13 +435,19 @@ def get_key_details(connection, module, key_id, tokens=None): key_id = result['Arn'] except is_boto3_error_code('NotFoundException'): return None + except is_boto3_error_code('AccessDeniedException'): # pylint: disable=duplicate-except + module.warn('Permission denied fetching key metadata ({0})'.format(key_id)) + return None except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: # pylint: disable=duplicate-except module.fail_json_aws(e, msg="Failed to obtain key metadata") result['KeyArn'] = result.pop('Arn') try: aliases = get_kms_aliases_lookup(connection) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: + except is_boto3_error_code('AccessDeniedException'): + module.warn('Permission denied fetching key aliases') + aliases = {} + except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: # pylint: disable=duplicate-except module.fail_json_aws(e, msg="Failed to obtain aliases") # We can only get aliases for our own account, so we don't need the full ARN result['aliases'] = aliases.get(result['KeyId'], []) @@ -452,8 +458,12 @@ def get_key_details(connection, module, key_id, tokens=None): try: result['grants'] = get_kms_grants_with_backoff(connection, key_id, tokens=tokens)['Grants'] - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: + except is_boto3_error_code('AccessDeniedException'): + module.warn('Permission denied fetching key grants ({0})'.format(key_id)) + result['grants'] = [] + except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: # pylint: disable=duplicate-except module.fail_json_aws(e, msg="Failed to obtain key grants") + tags = get_kms_tags(connection, module, key_id) result = camel_dict_to_snake_dict(result) diff --git a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml index d86309e41d9..cb6fd22d040 100644 --- a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml +++ b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml @@ -82,6 +82,10 @@ that: - key.changed + # Roles can take a little while to get ready, pause briefly to give it chance + - wait_for: + timeout: 20 + - name: Add grant aws_kms: alias: '{{ kms_key_alias }}'