ec2.py: iam_role option fails when using more than one region

[zenitraM]

ISSUE TYPE

• Bug Report

COMPONENT NAME

contrib/inventory/ec2.py

ANSIBLE VERSION

ansible 2.4.3.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]

CONFIGURATION

ec2.ini:

[ec2]
regions = eu-central-1,us-east-1
iam_role = arn:aws:iam::4242424242:role/ansible-inventory

OS / ENVIRONMENT

AWS

SUMMARY

On these lines:

ansible/contrib/inventory/ec2.py

Lines 574 to 593 in e0893aa

	def connect_to_aws(self, module, region):
	connect_args = self.credentials
	# only pass the profile name if it's set (as it is not supported by older boto versions)
	if self.boto_profile:
	connect_args['profile_name'] = self.boto_profile
	self.boto_fix_security_token_in_profile(connect_args)
	if self.iam_role:
	sts_conn = sts.connect_to_region(region, **connect_args)
	role = sts_conn.assume_role(self.iam_role, 'ansible_dynamic_inventory')
	connect_args['aws_access_key_id'] = role.credentials.access_key
	connect_args['aws_secret_access_key'] = role.credentials.secret_key
	connect_args['security_token'] = role.credentials.session_token
	conn = module.connect_to_region(region, **connect_args)
	# connect_to_region will fail "silently" by returning None if the region name is wrong or not supported
	if conn is None:
	self.fail_with_error("region name: %s likely not supported, or AWS is down. connection to region failed." % region)
	return conn

connect_args is a reference to self.credentials instead of a copy.
This causes that, when iam_role is set and more than a region is specified, it will:

• process the first region, run over iam_role, and overwrite self.credentials with the credentials for the assumed IAM role
• when it gets to the second region, it will use the overwritten credentials to try to assume the role again against the second region, so that the role tries to assume itself and fails:

ERROR: "Error connecting to AWS backend.
User: arn:aws:sts::4242424242:assumed-role/ansible-inventory/ansible_dynamic_inventory is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::4242424242:role/ansible-inventory",

STEPS TO REPRODUCE

Setup ec2.ini as set before, with an IAM role that has to be assumed and multiple regions

EXPECTED RESULTS

Working inventory

ACTUAL RESULTS

ERROR: "Error connecting to AWS backend.
User: arn:aws:sts::4242424242:assumed-role/ansible-inventory/ansible_dynamic_inventory is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::4242424242:role/ansible-inventory",

PROPOSED FIX

-      connect_args = self.credentials 
+      connect_args = dict(self.credentials)

A brief locally test shows that this workaround works - I think there shouldn't be any other side effects in the code but couldn't test further.

[ansibot]

Files identified in the description:

• contrib/inventory/ec2.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibot]

cc @ryansb @s-hertel @willthames
click here for bot help