Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_ssm does not seem to work on pulling secret value #322

Closed
isuftin opened this issue Apr 9, 2021 · 5 comments
Closed

aws_ssm does not seem to work on pulling secret value #322

isuftin opened this issue Apr 9, 2021 · 5 comments
Labels
bug This issue/PR relates to a bug needs_info This issue requires further information. Please answer any outstanding questions python3

Comments

@isuftin
Copy link

isuftin commented Apr 9, 2021

SUMMARY

When attempting to use aws_ssm to retrieve a secret, the response is always blank. However, when using boto3 with the same secret, it seems to be working

ISSUE TYPE
  • Bug Report
COMPONENT NAME

aws_ssm lookup

ANSIBLE VERSION
# python3 $(which ansible) --version
ansible 2.10.7
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /bin/ansible
  python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
CONFIGURATION
 python3 $(which ansible-config) dump --only-changed
DEFAULT_LOG_PATH(/etc/ansible/ansible.cfg) = /var/log/ansible.log
OS / ENVIRONMENT

CentOS 7 in AWS us-west-2 region

STEPS TO REPRODUCE
---
- name: My Test
  hosts: localhost
  connection: local
  become: true
  tasks:
    - name: Debug
      debug: msg="{{ lookup('aws_ssm', '/my/secret/at/path', region='us-west-2') }}"
EXPECTED RESULTS

msg: the secret

ACTUAL RESULTS
 python3 $(which ansible-playbook) -vvvv site2.yml
ansible-playbook 2.10.7
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /bin/ansible-playbook
  python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
Loading callback plugin default of type stdout, v2.0 from /usr/local/lib/python3.6/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: site2.yml ********************************************************************************************************************************************************************
Positional arguments: site2.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/hosts',)
forks: 5
1 plays in site2.yml

PLAY [My Test] ****************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************************
task path: /root/ansible/site2.yml:2
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1617989849.8095214-22256-17482482100520 `" && echo ansible-tmp-1617989849.8095214-22256-17482482100520="` echo /root/.ansible/tmp/ansible-tmp-1617989849.8095214-22256-17482482100520 `" ) && sleep 0'
Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/setup.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-22248rx3xvqjh/tmpz7ehnf9z TO /root/.ansible/tmp/ansible-tmp-1617989849.8095214-22256-17482482100520/AnsiballZ_setup.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1617989849.8095214-22256-17482482100520/ /root/.ansible/tmp/ansible-tmp-1617989849.8095214-22256-17482482100520/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/bin/python3 /root/.ansible/tmp/ansible-tmp-1617989849.8095214-22256-17482482100520/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1617989849.8095214-22256-17482482100520/ > /dev/null 2>&1 && sleep 0'
ok: [localhost]
META: ran handlers

TASK [Debug] ***************************************************************************************************************************************************************************
task path: /root/ansible/site2.yml:7
redirecting (type: lookup) ansible.builtin.aws_ssm to amazon.aws.aws_ssm
Loading collection amazon.aws from /usr/local/lib/python3.6/site-packages/ansible_collections/amazon/aws
AWS_ssm name lookup term: ['/my/secret/at/path']
ok: [localhost] => {
    "msg": ""
}
META: ran handlers
META: ran handlers

PLAY RECAP *****************************************************************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

However, this seems to work fine on the same machine...

# python3
Python 3.6.8 (default, Nov 16 2020, 16:55:22)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> client = boto3.client('secretsmanager', region_name='us-west-2')
>>> client.get_secret_value(SecretId='/my/secret/at/path')
{'ARN': 'arn:aws:secretsmanager:us-west-2:<my account>:secret:/my/secret/at/path-Wtdxcv', 'Name': '/my/secret/at/path', 'VersionId': '88168908-21c3-4822-9f4d-c56f099c7f4', 'SecretString': 'the secret', 'VersionStages': ['AWSCURRENT'], 'CreatedDate': datetime.datetime(2021, 3, 23, 16, 50, 22, 420000, tzinfo=tzlocal()), 'ResponseMetadata': {'RequestId': '7c0b4af9-a62e-4843-9f11-aaaa752cd49', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Fri, 09 Apr 2021 17:41:59 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '290', 'connection': 'keep-alive', 'x-amzn-requestid': '7c0b4af9-a62e-4843-9f11-aaaa752cd49'}, 'RetryAttempts': 0}}
@ansibullbot
Copy link

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot ansibullbot added bug This issue/PR relates to a bug needs_triage python3 labels Apr 9, 2021
@goneri goneri added needs_verified Some one might want to take a look at this and reproduce it to confirm and removed needs_verified Some one might want to take a look at this and reproduce it to confirm needs_triage labels Apr 9, 2021
@abikouo
Copy link
Contributor

abikouo commented Apr 12, 2021

Hi @isuftin
aws_ssm module is used to get value of a SSM parameter not a secret value, the boto3 client behind is ssm which is different from the one use in your example secretsmanager
are trying to read information from AWS secret manager using ansible ?

@abikouo abikouo closed this as completed Apr 12, 2021
@abikouo abikouo added needs_info This issue requires further information. Please answer any outstanding questions and removed needs_verified Some one might want to take a look at this and reproduce it to confirm labels Apr 12, 2021
@abikouo abikouo reopened this Apr 12, 2021
@tremble
Copy link
Contributor

tremble commented Apr 12, 2021

For secrets stored in Secret Manager you're probably after the aws_secret lookup plugin: https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_secret_lookup.html

@isuftin
Copy link
Author

isuftin commented Apr 15, 2021

@isuftin
Copy link
Author

isuftin commented Apr 15, 2021

Worked like a charm. Thank you @abikouo and @tremble

@isuftin isuftin closed this as completed Apr 15, 2021
abikouo pushed a commit to abikouo/amazon.aws that referenced this issue Sep 18, 2023
abikouo pushed a commit to abikouo/amazon.aws that referenced this issue Sep 18, 2023
abikouo pushed a commit to abikouo/amazon.aws that referenced this issue Oct 24, 2023
abikouo pushed a commit to abikouo/amazon.aws that referenced this issue Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue/PR relates to a bug needs_info This issue requires further information. Please answer any outstanding questions python3
Projects
None yet
Development

No branches or pull requests

5 participants