Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passing both a profile and access tokens is not supported #1353

Closed
1 task done
pwrccloud opened this issue Feb 9, 2023 · 4 comments
Closed
1 task done

Passing both a profile and access tokens is not supported #1353

pwrccloud opened this issue Feb 9, 2023 · 4 comments
Assignees
Labels
bug This issue/PR relates to a bug has_pr needs_triage python3

Comments

@pwrccloud
Copy link

Summary

Using amazon.aws.ec2_instance module with the profile parameter and AWS credentials stored in the environment variables results in an error Passing both a profile and access tokens is not supported

This behaviour is not shown in Ansible 7.2 using amazon.aws collection version 5.1.0

Issue Type

Bug Report

Component Name

amazon.aws.ec2_instance

Ansible Version

ansible [core 2.14.2]
config file = /home/centos/ansible/ansible.cfg
configured module search path = ['/home/centos/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/centos/.local/lib/python3.9/site-packages/ansible
ansible collection location = /home/centos/.ansible/collections:/usr/share/ansible/collections
executable location = /home/centos/.local/bin/ansible
python version = 3.9.6 (default, Aug 25 2021, 16:22:38) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True

Name: ansible
Version: 7.2.0
Summary: Radically simple IT automation
Home-page: https://ansible.com/
Author: Ansible, Inc.
Author-email: info@ansible.com
License: GPLv3+
Location: /home/centos/.local/lib/python3.9/site-packages
Requires: ansible-core
Required-by:

Collection Versions

Collection Version


amazon.aws 5.2.0
ansible.netcommon 4.1.0
ansible.posix 1.5.1
ansible.utils 2.9.0
ansible.windows 1.13.0
arista.eos 6.0.0
awx.awx 21.11.0
azure.azcollection 1.14.0
check_point.mgmt 4.0.0
chocolatey.chocolatey 1.4.0
cisco.aci 2.3.0
cisco.asa 4.0.0
cisco.dnac 6.6.3
cisco.intersight 1.0.23
cisco.ios 4.3.1
cisco.iosxr 4.1.0
cisco.ise 2.5.12
cisco.meraki 2.15.0
cisco.mso 2.2.1
cisco.nso 1.0.3
cisco.nxos 4.0.1
cisco.ucs 1.8.0
cloud.common 2.1.2
cloudscale_ch.cloud 2.2.4
community.aws 5.2.0
community.azure 2.0.0
community.ciscosmb 1.0.5
community.crypto 2.10.0
community.digitalocean 1.23.0
community.dns 2.5.0
community.docker 3.4.0
community.fortios 1.0.0
community.general 6.3.0
community.google 1.0.0
community.grafana 1.5.3
community.hashi_vault 4.1.0
community.hrobot 1.7.0
community.libvirt 1.2.0
community.mongodb 1.4.2
community.mysql 3.5.1
community.network 5.0.0
community.okd 2.2.0
community.postgresql 2.3.2
community.proxysql 1.5.1
community.rabbitmq 1.2.3
community.routeros 2.7.0
community.sap 1.0.0
community.sap_libs 1.4.0
community.skydive 1.0.0
community.sops 1.6.0
community.vmware 3.3.0
community.windows 1.12.0
community.zabbix 1.9.1
containers.podman 1.10.1
cyberark.conjur 1.2.0
cyberark.pas 1.0.17
dellemc.enterprise_sonic 2.0.0
dellemc.openmanage 6.3.0
dellemc.os10 1.1.1
dellemc.os6 1.0.7
dellemc.os9 1.0.4
dellemc.powerflex 1.5.0
dellemc.unity 1.5.0
f5networks.f5_modules 1.22.0
fortinet.fortimanager 2.1.7
fortinet.fortios 2.2.2
frr.frr 2.0.0
gluster.gluster 1.0.2
google.cloud 1.1.2
grafana.grafana 1.1.0
hetzner.hcloud 1.9.1
hpe.nimble 1.1.4
ibm.qradar 2.1.0
ibm.spectrum_virtualize 1.11.0
infinidat.infinibox 1.3.12
infoblox.nios_modules 1.4.1
inspur.ispim 1.2.0
inspur.sm 2.3.0
junipernetworks.junos 4.1.0
kubernetes.core 2.3.2
lowlydba.sqlserver 1.3.1
mellanox.onyx 1.0.0
netapp.aws 21.7.0
netapp.azure 21.10.0
netapp.cloudmanager 21.22.0
netapp.elementsw 21.7.0
netapp.ontap 22.2.0
netapp.storagegrid 21.11.1
netapp.um_info 21.8.0
netapp_eseries.santricity 1.4.0
netbox.netbox 3.10.0
ngine_io.cloudstack 2.3.0
ngine_io.exoscale 1.0.0
ngine_io.vultr 1.1.3
openstack.cloud 1.10.0
openvswitch.openvswitch 2.1.0
ovirt.ovirt 2.4.1
purestorage.flasharray 1.16.2
purestorage.flashblade 1.10.0
purestorage.fusion 1.3.0
sensu.sensu_go 1.13.2
splunk.es 2.1.0
t_systems_mms.icinga_director 1.32.0
theforeman.foreman 3.8.0
vmware.vmware_rest 2.2.0
vultr.cloud 1.7.0
vyos.vyos 4.0.0
wti.remote 1.0.4

AWS SDK versions

Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /home/centos/.local/lib/python3.9/site-packages
Requires:
Required-by:

Name: boto3
Version: 1.26.66
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /home/centos/.local/lib/python3.9/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:

Name: botocore
Version: 1.29.66
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /home/centos/.local/lib/python3.9/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: awscli, boto3, s3transfer

Configuration

CONFIG_FILE() = /home/centos/ansible/ansible.cfg
DEFAULT_HOST_LIST(/home/centos/ansible/ansible.cfg) = ['/home/centos/ansible/inventory']
DEFAULT_ROLES_PATH(/home/centos/ansible/ansible.cfg) = ['/home/centos/ansible/roles']
DEFAULT_STDOUT_CALLBACK(/home/centos/ansible/ansible.cfg) = yaml
HOST_KEY_CHECKING(/home/centos/ansible/ansible.cfg) = False
INVENTORY_ENABLED(/home/centos/ansible/ansible.cfg) = ['ini']

OS / Environment

CentOS Stream 8

Steps to Reproduce

Using Ansible 7.2 and amazon.aws collection version 5.2.0

Store AWS creds in environment vars

export AWS_ACCESS_KEY_ID="XXXXXXX"
export AWS_SECRET_KEY="XXXXXX"
export AWS_REGION="XXXXXX"

Setup AWS profile config file:

[default]
region = xxxxxxxxxxxxxxxxx
[profile testing]
role_arn = arn:aws:iam::xxxxxxxxxxxxx:role/testing-role
credential_source = Environment
region =xxxxxxxxxxxxxxxx
[profile testing2]
role_arn = arn:aws:iam::xxxxxxxxxxx:role/testing-role
credential_source = Environment
region = xxxxxxxxxxxxxxxxxx

Add Ansible code

---
- name: Example play for test
  hosts: localhost
  gather_facts: no
  become: no


  tasks:
 
    - name: Test EC2 State Change
      amazon.aws.ec2_instance:
        profile: testing
        state: running
        instance_ids: i-xxxxxxxx

Run ansible-playbook

ansible-playbook example-play.yml

Expected Results

Authenticate to AWS using the profile instead of the AWS credentials stored in environment vars
Successfully run the actions in the amazon.aws.ec2_instance task

Actual Results

Using amazon.aws 5.2.0

  msg: Passing both a profile and access tokens is not supported.

Using amazon.aws 5.1.0
Task completes successfully as expected

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@ansibullbot
Copy link

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot ansibullbot added bug This issue/PR relates to a bug needs_triage python3 labels Feb 9, 2023
@tremble
Copy link
Contributor

tremble commented Feb 9, 2023

Thanks for taking the time to open this issue.

The triggering PR was #1224. However, support for passing both profile and credentials was deprecated in release 1.2.0 (back in 2020), and officially "removed" in release 5.0.0. This includes passing them through both environment variables and parameters.

Unfortunately, due to some messy logic paths in the original code it looks like when removing support we only partially dropped support. With #1224 the logic was simplified and the change exposed the dropped support that you've now encountered.

Since this breaking change appeared in a non-major release I'm going to revert it for the remainder of the 5.x release cycle. However, please note that this behaviour will return in release 6.0.0.

@tremble
Copy link
Contributor

tremble commented Feb 9, 2023

One way to avoid modules using the values from the environment variables is by explicitly setting access_key, secret_key and session_token to empty strings:

    - name: Test EC2 State Change
      amazon.aws.ec2_instance:
        profile: testing
        access_key: ""
        secret_key: ""
        session_token: ""
        state: running
        instance_ids: i-xxxxxxxx

You may also be interested in using module_defaults:

---
- name: Example play for test
  hosts: localhost
  gather_facts: no
  become: no
  module_defaults:
    group/aws:
      access_key: ''
      secret_key: ''
      session_token: ''
      profile: 'testing'
  tasks:
    - name: Test EC2 State Change
      amazon.aws.ec2_instance:
        state: running
        instance_ids: i-xxxxxxxx

@pwrccloud
Copy link
Author

Thanks @tremble
I have updated my code to correct for this change.

@tremble tremble self-assigned this Feb 13, 2023
tremble added a commit that referenced this issue Feb 22, 2023
fixes #1353

SUMMARY

#1224 exposed that the removal of support for passing both profiles and security tokens was only partially implemented in release 5.0.0 (#834)

Since we had already announced that support would be dropped for passing both (back in 2020 with release 1.2.0), I think it's reasonable to still fully drop support in 6.0.0. The documentation was originally very fuzzy about when we'd fallback and use which variables.

ISSUE TYPE

- Bugfix Pull Request

COMPONENT NAME

plugins/module_utils/botocore.py
plugins/module_utils/modules.py

ADDITIONAL INFORMATION
abikouo pushed a commit to abikouo/amazon.aws that referenced this issue Sep 18, 2023
…ns#1353)

feat(module/vpc-cagw): Add Carrier Gateway modules

SUMMARY
New modules to manage VPC Carrear Gateways.
ISSUE TYPE

New Module Pull Request

COMPONENT NAME
modules (new):

ec2_carrier_gateway
ec2_carrier_gateway_info

ADDITIONAL INFORMATION
$ ansible localhost -m ec2_vpc_cagw_info
localhost | SUCCESS => {
    "carrier_gateways": [
        {
            "carrier_gateway_id": "cagw-037df45cae5362d59",
            "tags": {
                "Name": "test1-54dsl-vpc-cagw"
            },
            "vpc_id": "vpc-069cabb60c7e7fc6d"
        }
    ],
    "changed": false
}

$ ansible localhost -m ec2_carrier_gateway -a "state=absent vpc_id=vpc-069cabb60c7e7fc6d carrier_gateway_id=cagw-037df45cae5362d59"
localhost | CHANGED => {
    "changed": true
}


$ ansible localhost -m ec2_carrier_gateway_info
localhost | SUCCESS => {
    "carrier_gateways": [],
    "changed": false
}


$ ansible localhost -m ec2_carrier_gateway-a "vpc_id=vpc-069cabb60c7e7fc6d"
localhost | CHANGED => {
    "carrier_gateway_id": "cagw-095f998ebdcb5ef86",
    "changed": true,
    "tags": {},
    "vpc_id": "vpc-069cabb60c7e7fc6d"
}
$ ansible localhost -m ec2_carrier_gateway_info
localhost | SUCCESS => {
    "carrier_gateways": [
        {
            "carrier_gateway_id": "cagw-095f998ebdcb5ef86",
            "tags": {},
            "vpc_id": "vpc-069cabb60c7e7fc6d"
        }
    ],
    "changed": false
}

Reviewed-by: Mark Chappell
Reviewed-by: Marco Braga
Reviewed-by: Markus Bergholz <git@osuv.de>
abikouo pushed a commit to abikouo/amazon.aws that referenced this issue Sep 18, 2023
…ns#1353)

feat(module/vpc-cagw): Add Carrier Gateway modules

SUMMARY
New modules to manage VPC Carrear Gateways.
ISSUE TYPE

New Module Pull Request

COMPONENT NAME
modules (new):

ec2_carrier_gateway
ec2_carrier_gateway_info

ADDITIONAL INFORMATION
$ ansible localhost -m ec2_vpc_cagw_info
localhost | SUCCESS => {
    "carrier_gateways": [
        {
            "carrier_gateway_id": "cagw-037df45cae5362d59",
            "tags": {
                "Name": "test1-54dsl-vpc-cagw"
            },
            "vpc_id": "vpc-069cabb60c7e7fc6d"
        }
    ],
    "changed": false
}

$ ansible localhost -m ec2_carrier_gateway -a "state=absent vpc_id=vpc-069cabb60c7e7fc6d carrier_gateway_id=cagw-037df45cae5362d59"
localhost | CHANGED => {
    "changed": true
}


$ ansible localhost -m ec2_carrier_gateway_info
localhost | SUCCESS => {
    "carrier_gateways": [],
    "changed": false
}


$ ansible localhost -m ec2_carrier_gateway-a "vpc_id=vpc-069cabb60c7e7fc6d"
localhost | CHANGED => {
    "carrier_gateway_id": "cagw-095f998ebdcb5ef86",
    "changed": true,
    "tags": {},
    "vpc_id": "vpc-069cabb60c7e7fc6d"
}
$ ansible localhost -m ec2_carrier_gateway_info
localhost | SUCCESS => {
    "carrier_gateways": [
        {
            "carrier_gateway_id": "cagw-095f998ebdcb5ef86",
            "tags": {},
            "vpc_id": "vpc-069cabb60c7e7fc6d"
        }
    ],
    "changed": false
}

Reviewed-by: Mark Chappell
Reviewed-by: Marco Braga
Reviewed-by: Markus Bergholz <git@osuv.de>
abikouo pushed a commit to abikouo/amazon.aws that referenced this issue Oct 24, 2023
…ns#1353)

feat(module/vpc-cagw): Add Carrier Gateway modules

SUMMARY
New modules to manage VPC Carrear Gateways.
ISSUE TYPE

New Module Pull Request

COMPONENT NAME
modules (new):

ec2_carrier_gateway
ec2_carrier_gateway_info

ADDITIONAL INFORMATION
$ ansible localhost -m ec2_vpc_cagw_info
localhost | SUCCESS => {
    "carrier_gateways": [
        {
            "carrier_gateway_id": "cagw-037df45cae5362d59",
            "tags": {
                "Name": "test1-54dsl-vpc-cagw"
            },
            "vpc_id": "vpc-069cabb60c7e7fc6d"
        }
    ],
    "changed": false
}

$ ansible localhost -m ec2_carrier_gateway -a "state=absent vpc_id=vpc-069cabb60c7e7fc6d carrier_gateway_id=cagw-037df45cae5362d59"
localhost | CHANGED => {
    "changed": true
}


$ ansible localhost -m ec2_carrier_gateway_info
localhost | SUCCESS => {
    "carrier_gateways": [],
    "changed": false
}


$ ansible localhost -m ec2_carrier_gateway-a "vpc_id=vpc-069cabb60c7e7fc6d"
localhost | CHANGED => {
    "carrier_gateway_id": "cagw-095f998ebdcb5ef86",
    "changed": true,
    "tags": {},
    "vpc_id": "vpc-069cabb60c7e7fc6d"
}
$ ansible localhost -m ec2_carrier_gateway_info
localhost | SUCCESS => {
    "carrier_gateways": [
        {
            "carrier_gateway_id": "cagw-095f998ebdcb5ef86",
            "tags": {},
            "vpc_id": "vpc-069cabb60c7e7fc6d"
        }
    ],
    "changed": false
}

Reviewed-by: Mark Chappell
Reviewed-by: Marco Braga
Reviewed-by: Markus Bergholz <git@osuv.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue/PR relates to a bug has_pr needs_triage python3
Projects
None yet
Development

No branches or pull requests

3 participants