route53 module is not able to authenticathe using IAM role

[sw360cab]

SUMMARY

This module should be ported to boto3 to allow authentication with IAM roles.

When running a playbook that employs Route53 module on an EC2 intance that authenticate itself with AWS services using IAM role (IAM Role associated to an EC2 instance), the playbook task fails to authenticate (Boto3).

The general idea is that, if I explicit

route53:
    aws_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID') }}"
    aws_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY') }}"

the task in the playbook works perfectly.

Respect to documentation if I remove this part the module should rely on existing environment variable or better on existing Boto3 authentication.

AWS access key. If not set then the value of the AWS_ACCESS_KEY_ID, AWS_ACCESS_KEY or EC2_ACCESS_KEY environment variable is used.

Boto 3 supports authentication via IAM role but route53 seems to refuse it.
Moreover other tasks in the playbook employing AWS services (e.g. launching EC2 instances) do work smootly with this kind of (boto3) authentication method.

ISSUE TYPE

• Feature Request

COMPONENT NAME

route53

ANSIBLE VERSION

ansible 2.4.1.0
  config file = None
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.14 (default, Dec 14 2017, 15:51:29) [GCC 6.4.0]

CONFIGURATION

OS / ENVIRONMENT

ansible 2.4.1.0
Linux Alpine 10
Python 2.7

Running Toward

AWS EC2 service

STEPS TO REPRODUCE

- name: Add Route53 record for client
  route53:
    state: present
    zone: master.streamit.eu
    record: "node{{ item.0 }}.streamit.eu"
    type: A
    ttl: 900
    value: "{{ ipify_public_ip }}"
    overwrite: yes
    wait: no
  when: hostvars[item.1]['ipify_public_ip'] == ipify_public_ip
  with_indexed_items: "{{ groups['wowza-lb-client'] }}"

EXPECTED RESULTS

TASK [wowza-lb-client : Add Route53 record for client] *********************************************************************************************
changed: [18.206.55.76] => (item=(0, u'18.206.55.76')) => {"changed": true, "item": [0, "18.206.55.76"]}

ACTUAL RESULTS

TASK [wowza-lb-client : Add Route53 record for client] *************************

failed: [34.247.135.176] (item=(0, u'34.247.135.176')) => {"changed": false, "failed": true, "item": [0, "34.247.135.176"], "module_stderr": "", "module_stdout": "Traceback (most recent call last):\r\n  
File \"/tmp/ansible_RSlUwW/ansible_module_route53.py\", line 609, in <module>\r\n    main()\r\n  
File \"/tmp/ansible_RSlUwW/ansible_module_route53.py\", line 488, in main\r\n    conn = Route53Connection(**aws_connect_kwargs)\r\n  File \"/usr/lib/python2.7/dist-packages/boto/route53/connection.py\", line 88, in __init__\r\n    profile_name=profile_name)\r\n  
File \"/usr/lib/python2.7/dist-packages/boto/connection.py\", line 569, in __init__\r\n    host, config, self.provider, self._required_auth_capability())\r\n  
File \"/usr/lib/python2.7/dist-packages/boto/auth.py\", line 991, in get_auth_handler\r\n   
 'Check your credentials' % (len(names), str(names)))\r\nboto.exception.NoAuthHandlerFound: No handler was ready to authenticate. 1 handlers were checked. ['HmacAuthV3Handler'] 
Check your credentials\r\n", "msg": "MODULE FAILURE", "rc": 0}

	to retry, use: --limit @/ansible/ec2-lauch.retry

[sw360cab]

Maybe also related to #30012

[ansibot]

cc @bpennypacker @jimbydamonk
click here for bot help

[s-hertel]

Looks unrelated to #30012, which was an issue fixed in 2014 to allow the module to use profiles.

@sw360cab This will be a problem with any module still using boto. I've updated your description to indicate this is a feature request to port the module from boto to boto3.

[ansibot]

cc @jillr @tremble
click here for bot help

[dhikrahashim]

Any fix for this. I am able to use profile and able to run the command. But the same playbook is not working in Ansible Tower. I used AWS creds and profile in Tower it is not working.

Tower dynamic inventory is working using iam role arn

[ansibot]

Thank you very much for your interest in Ansible. Ansible has migrated much of the content into separate repositories to allow for more rapid, independent development. We are closing this issue/PR because this content has been moved to one or more collection repositories.

• lib/ansible/modules/cloud/amazon/route53.py -> https://galaxy.ansible.com/community/aws

For further information, please see:
https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md