-
Notifications
You must be signed in to change notification settings - Fork 398
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot connect to ec2 instance via aws_ssm if AWS_SESSION_TOKEN is missing #343
Comments
Files identified in the description:
If these files are inaccurate, please update the |
@ru-rocker thank you for filing the issue and the suggested fix. Would you like to open a PR for this? |
Perhaps this issue could be addressed differently. The ansible options parser already supports the ability to pick-up environment variables. Why not use that instead? Say something like:
I just had to address this in our environment because as designed, the code will override the configured vars with |
This addresses issues concerning connections failures due to not needing session tokens. If the any one of the connection vars are not set, *all* the connection vars are reset to their environmental value, or `None`. This causes mysterious CredentialsNotFound errors. Further, because handling was being done in the code, this fallback behavior was not documented. Fixes ansible-collections#343
Sorry for the late reply. The reason I opened this issue is I need dynamic access_key_id and access_secret_key_id due to security requirements. |
…ble-collections#535) * fix issue ansible-collections#343 for missing AWS_SESSION_TOKEN
…ble-collections#535) * fix issue ansible-collections#343 for missing AWS_SESSION_TOKEN
…ble-collections#535) * fix issue ansible-collections#343 for missing AWS_SESSION_TOKEN
aws_ssm connection - Move connection vars environment handling into options SUMMARY This fix moves a number of connection related variables to the options parsing step instead of inline. This has the added effect of documenting their existence and making overriding them more consistent with Ansible's UX. Fixes #343 ISSUE TYPE Bugfix Pull Request COMPONENT NAME aws_ssm ADDITIONAL INFORMATION There were a couple of other minor changes related to logging and silencing curl's progress info outside of the connection vars themselves. I'm happy to pull them out if desired and submit them as a separate PR. I added fallback on hostnames lookup to match SSH's host handling since that's the defacto connection plugin. This incidentally fixes the way delegation is reported (it didn't show the -> delegated host bit in the logs). Of note, the ec2.py module sets the instance_id and placement on instances it detects so I added it as first-class fallback for instance_id and region parameters respectively. The get_options parser doesn't handle nested variable lookups, so I had to modify the lookup slightly. Reviewed-by: Jill R <None> Reviewed-by: Guillaume GILL <None> Reviewed-by: Mark Chappell <None>
aws_ssm connection - Move connection vars environment handling into options SUMMARY This fix moves a number of connection related variables to the options parsing step instead of inline. This has the added effect of documenting their existence and making overriding them more consistent with Ansible's UX. Fixes #343 ISSUE TYPE Bugfix Pull Request COMPONENT NAME aws_ssm ADDITIONAL INFORMATION There were a couple of other minor changes related to logging and silencing curl's progress info outside of the connection vars themselves. I'm happy to pull them out if desired and submit them as a separate PR. I added fallback on hostnames lookup to match SSH's host handling since that's the defacto connection plugin. This incidentally fixes the way delegation is reported (it didn't show the -> delegated host bit in the logs). Of note, the ec2.py module sets the instance_id and placement on instances it detects so I added it as first-class fallback for instance_id and region parameters respectively. The get_options parser doesn't handle nested variable lookups, so I had to modify the lookup slightly. Reviewed-by: Jill R <None> Reviewed-by: Guillaume GILL <None> Reviewed-by: Mark Chappell <None> (cherry picked from commit 94d1295)
) [PR #514/94d12952 backport][stable-5] aws_ssm connection - Move connection vars environment handling into options This is a backport of PR #514 as merged into main (94d1295). SUMMARY This fix moves a number of connection related variables to the options parsing step instead of inline. This has the added effect of documenting their existence and making overriding them more consistent with Ansible's UX. Fixes #343 ISSUE TYPE Bugfix Pull Request COMPONENT NAME aws_ssm ADDITIONAL INFORMATION There were a couple of other minor changes related to logging and silencing curl's progress info outside of the connection vars themselves. I'm happy to pull them out if desired and submit them as a separate PR. I added fallback on hostnames lookup to match SSH's host handling since that's the defacto connection plugin. This incidentally fixes the way delegation is reported (it didn't show the -> delegated host bit in the logs). Of note, the ec2.py module sets the instance_id and placement on instances it detects so I added it as first-class fallback for instance_id and region parameters respectively. The get_options parser doesn't handle nested variable lookups, so I had to modify the lookup slightly. Reviewed-by: Mark Chappell <None>
SUMMARY
Cannot connect to ec2 instance via aws_ssm if AWS_SESSION_TOKEN is not set.
(I do not configure any AWS variables in OS via
aws configure
)ISSUE TYPE
COMPONENT NAME
ansible-collections/community.aws/blob/main/plugins/connection/aws_ssm.py
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
OSX 10.14.6 (18G3020)
STEPS TO REPRODUCE
I created a role to ping ec2 instance.
I guess this is related with this loc:
Because I do not need
aws_session_token
(yet) to connect to ec2 instances via aws_ssm to do a ping, and I do not set any OS environment variables, all myaws_access_key_id
andaws_secret_access_key
are set to None again because theaws_session_token
is empty.Suggested fixes:
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: