[Plugin] amazon.aws.aws_ec2 - Can't get dynamic inventory with an AWS Identity Center account

[gregory-lecomte]

Summary

When I try to execute a Playbook on my EC2 instance, I get the following error

Failed to describe instances: Error
loading SSO Token: Token for https://test.awsapps.com/start does not exist

Issue Type

Bug Report

Component Name

Plugin : amazon.aws.aws_ec2

Ansible Version

$ ansible --version
ansible [core 2.14.6]
  config file = /home/user/Documents/company/gitlab/devops/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/user/Documents/company/gitlab/devops/ansible/.ansible/collections:/home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/.local/bin//ansible
  python version = 3.10.6 (main, May 29 2023, 11:10:38) [GCC 11.3.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Collection Versions

$ ansible-galaxy collection list

Collection           Version
-------------------- -------
amazon.aws           6.1.0  
ansible.posix        1.5.4  
community.docker     3.4.6  
community.general    7.0.1  
community.postgresql 2.4.1  

AWS SDK versions

$ pip show boto boto3 botocore
WARNING: Package(s) not found: boto
Name: boto3
Version: 1.24.90
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/user/.local/lib/python3.10/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: 
---
Name: botocore
Version: 1.27.90
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/user/.local/lib/python3.10/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed
ANSIBLE_FORCE_COLOR(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = True
ANSIBLE_PIPELINING(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = True
CALLBACKS_ENABLED(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = ['timer', 'profile_roles']
COLLECTIONS_PATHS(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = ['/home/user/Documents/company/gitlab/devops/ansible/.ansible/collections', '/home/user/.ansible/collections', '/usr/share/ansible/collections']
CONFIG_FILE() = /home/user/Documents/company/gitlab/devops/ansible/ansible.cfg
DEFAULT_FORKS(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = 50
DEFAULT_HOST_LIST(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = ['/home/user/Documents/company/gitlab/devops/ansible/inventories/company']
DEFAULT_ROLES_PATH(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = ['/home/user/Documents/company/gitlab/devops/ansible/roles/common', '/home/user/Documents/company/gitlab/devops/ansible/roles/specific', '/usr/share/ansible/roles', '/home/user/.ansible/roles', '/etc/ansible/roles']
DEFAULT_VAULT_PASSWORD_FILE(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = /home/user/.ansible/ansible-vault-pass-client
DIFF_ALWAYS(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = True
HOST_KEY_CHECKING(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = /usr/bin/python3
RETRY_FILES_ENABLED(/home/user/Documents/company/gitlab/devops/ansible/ansible.cfg) = False

OS / Environment

Ubuntu 22.04

Steps to Reproduce

inventories/company-interne.aws_ec2.yml

plugin: amazon.aws.aws_ec2
aws_profile: company-interne
regions:
  - eu-west-3
keyed_groups:
  - key: tags['Ansible_group'].split(':')
    separator: ""
filters:
  instance-state-name: running
  ip-address: "*" # Get only instances with public IP
exclude_filters:
  - tag:Name:
      - agent-*
hostnames:
  - tag:Name
compose:
  ansible_host: public_ip_address

~/.aws/config

[profile company-interne]
sso_account_id = 12345678912
region = eu-west-3
sso_start_url = https://test.awsapps.com/start
sso_role_name = AWSReadOnly
sso_region = eu-west-3

Command to run :

ansible all --list-hosts

Expected Results

I expected to get my dynamic inventory using an AWS Identity Center account

Actual Results

[WARNING]:  * Failed to parse /home/user/Documents/company/gitlab/devops/ansible/inventories/company/company-interne.aws_ec2.yml with auto plugin: Failed to describe instances: Error
loading SSO Token: Token for https://test.awsapps.com/start does not exist
[WARNING]:  * Failed to parse /home/gregorylecomte/Documents/company/gitlab/devops/ansible/inventories/company/company-interne.aws_ec2.yml with yaml plugin: Plugin configuration YAML file, not
YAML inventory
[WARNING]:  * Failed to parse /home/user/Documents/company/gitlab/devops/ansible/inventories/company/company-interne.aws_ec2.yml with ini plugin: Invalid host pattern 'plugin:'
supplied, ending in ':' is not allowed, this character is reserved to provide a port.
[WARNING]: Unable to parse /home/user/Documents/company/gitlab/devops/ansible/inventories/company/company-interne.aws_ec2.yml as an inventory source
  hosts (0):

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[gravesm]

@coopengo-glecomte You appear to be using the legacy non-refreshable configuration in which case you will have to run aws sso login to get a token. You can also try using the newer automatic refreshing config.

[gregory-lecomte]

@coopengo-glecomte You appear to be using the legacy non-refreshable configuration in which case you will have to run aws sso login to get a token. You can also try using the newer automatic refreshing config.

Hi @gravesm, I'm using the new authentication configuration, and that's what I'm having the problem with :

[profile company]
sso_session = sso-company
sso_account_id = 19xxxxxxxxxx
region = eu-west-3
sso_role_name = AWSAdministratorAccess


[profile company0]
sso_session = sso-company
sso_account_id = 36xxxxxxxxxx
region = eu-west-3
sso_role_name = AWSAdministratorAccess

[profile company1]
sso_session = sso-company
sso_account_id = 46xxxxxxxxxx
region = eu-west-3
sso_role_name = AWSAdministratorAccess

[sso-session sso-company]
sso_start_url = https://test.awsapps.com/start
sso_region = eu-west-3
sso_registration_scopes = sso:account:access

[gregory-lecomte]

Hi,

Any news about it ?