Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to use aws_ssm connection with cross-account shared bucket #1979

Open
1 task done
raulpedroche opened this issue Oct 24, 2023 · 1 comment · May be fixed by #1987
Open
1 task done

Unable to use aws_ssm connection with cross-account shared bucket #1979

raulpedroche opened this issue Oct 24, 2023 · 1 comment · May be fixed by #1987
Labels
jira Adds the issue to cloud content backlog refinement jira board

Comments

@raulpedroche
Copy link

Summary

When trying to use a single organization bucket for cross-account connection, the aws_ssm connection plugin fails with

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetBucketLocation operation: Access Denied

This happens even though the assumed role has the s3:GetBucketLocation permission granted (we have double checked, s3:* in the role and explicit s3:GetBucketLocation in the bucket policy).

The root of the issue is that, according to the CLI help,

To use this implementation of the operation, you must be the bucket owner.

The online API documentation does not mention it, although it says the call is supported only for backwards compatibility and advises the usage of HeadBucket.

Switching to HeadBucket API call would involve changin the code from

        bucket_location = tmp_s3_client.get_bucket_location(
            Bucket=(self.get_option("bucket_name")),
        )
        bucket_region = bucket_location["LocationConstraint"]

to something like

        head_bucket = tmp_s3_client.head_bucket(
            Bucket=(self.get_option("bucket_name")),
        )
        bucket_region = head_bucket["ResponseMetadata"]["HTTPHeaders"]["x-amz-bucket-region"]

Issue Type

Bug Report

Component Name

aws_ssm

Ansible Version

$ ansible --version
ansible [core 2.15.5]
  config file = None
  configured module search path = ['/actions-runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
  ansible collection location = /actions-runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.5 (main, Sep 20 2023, 10:46:56) [GCC 12.2.0] (/usr/local/bin/python)
  jinja version = 3.1.2
  libyaml = True

Collection Versions

$ ansible-galaxy collection list

# /actions-runner/.ansible/collections/ansible_collections
Collection    Version
------------- -------
amazon.aws    6.5.0
community.aws 6.4.0

AWS SDK versions

$ pip show boto boto3 botocore
WARNING: Package(s) not found: boto
Name: boto3
Version: 1.28.69
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.11/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.31.69
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.11/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: awscli, boto3, s3transfer

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = None

OS / Environment

Debian GNU/Linux 12 (bookworm)

Steps to Reproduce

---
- name: Minimal playbook
  hosts: all
  become: false
  gather_facts: true
  tasks:
    - name: Ping
      ansible.builtin.ping:
      become: true

Expected Results

Expected playbook to run to end.

Actual Results

PLAY [all] *********************************************************************

TASK [Gathering Facts] *********************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetBucketLocation operation: Access Denied
fatal: [i-00a8cb5930bd5f7dc]: FAILED! => {"msg": "Unexpected failure during module execution: An error occurred (AccessDenied) when calling the GetBucketLocation operation: Access Denied", "stdout": ""}

PLAY RECAP *********************************************************************
i-00a8cb5930bd5f7dc        : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0 

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
raulpedroche added a commit to raulpedroche/community.aws that referenced this issue Oct 25, 2023
@fivetran-joliveira
Copy link

fivetran-joliveira commented Nov 2, 2023

When trying to use a single organization bucket for cross-account connection

Facing same error here in this exact scenario: single bucket for cross account connection

markuman pushed a commit to raulpedroche/community.aws that referenced this issue Jun 7, 2024
@GomathiselviS GomathiselviS added the jira Adds the issue to cloud content backlog refinement jira board label Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
jira Adds the issue to cloud content backlog refinement jira board
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants