Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ec2_metadata_facts reports wrong role name with _expiration suffix #45228

Closed
gchiesa opened this issue Sep 5, 2018 · 5 comments · Fixed by #45534 or #49113
Closed

ec2_metadata_facts reports wrong role name with _expiration suffix #45228

gchiesa opened this issue Sep 5, 2018 · 5 comments · Fixed by #45534 or #49113
Labels
affects_2.6 This issue/PR affects Ansible v2.6 aws bug This issue/PR relates to a bug. cloud module This issue/PR relates to a module. support:core This issue/PR relates to code supported by the Ansible Engineering Team.

Comments

@gchiesa
Copy link

gchiesa commented Sep 5, 2018

SUMMARY

The ec2_metadata_facts module reports a wrong role name

ISSUE TYPE
  • Bug Report
COMPONENT NAME

ec2_metadata_facts.py

ANSIBLE VERSION
ansible 2.6.3
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
CONFIGURATION
DEFAULT_LOG_PATH(/etc/ansible/ansible.cfg) = /var/log/ansible.log
OS / ENVIRONMENT

CentOS Linux release 7.5.1804 (Core)

STEPS TO REPRODUCE

Start an AWS EC2 instance with a instance profile (role) attached
Install ansible 2.6.3 with pip
Run the commands:

ansible localhost -m ec2_metadata_facts | grep instance_profile
EXPECTED RESULTS

We expect to get the role associated to the instance, with a similar output:

 [WARNING]: Unable to parse /etc/ansible/hosts as an inventory source
 [WARNING]: No inventory was parsed, only implicit localhost is available
 [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
        "ansible_ec2_iam_instance_profile_role": "<ROLE_NAME>",
ACTUAL RESULTS

It reports instead the <ROLE_NAME>_expiration

 [WARNING]: Unable to parse /etc/ansible/hosts as an inventory source
 [WARNING]: No inventory was parsed, only implicit localhost is available
 [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
        "ansible_ec2_iam_instance_profile_role": "<ROLE_NAME>_expiration",

This is due to the changes introduced with this commit:
bed5f73#diff-6b099934176f95df43f465d4ea00b635
gchiesa pushed a commit to gchiesa/s3vaultlib that referenced this issue Sep 5, 2018
updated requirements because a bug on ansible latest versions ansible…
7427601 
…/ansible#45228
@ansibot
Copy link
Contributor

ansibot commented Sep 5, 2018

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Sep 5, 2018

cc @roadmapper @silviud
click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Sep 5, 2018

Hi @gchiesa,

Thank you for the issue, just so you are aware we have a dedicated Working Group for aws.
You can find other people interested in this in #ansible-aws on Freenode IRC
For more information about communities, meetings and agendas see https://github.com/ansible/community

click here for bot help

@ansibot ansibot added affects_2.6 This issue/PR affects Ansible v2.6 aws bug This issue/PR relates to a bug. cloud module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Sep 5, 2018
@bcoca bcoca removed the needs_triage Needs a first human triage before being processed. label Sep 6, 2018
@roadmapper
Copy link
Contributor

Sorry for the delay in checking this, but I now understand that the underscore check was there to prevent the keys (accesskeyid, code, expiration, lastupdated, secretaccesskey, tokentype) from the JSON dictionary after the IAM role (169.254.169.254/latest/meta-data/iam/security-credentials/<role name>) from leaking into the check to parse out the IAM role name. I've identified a fix for this.

@roadmapper roadmapper mentioned this issue Sep 12, 2018
Merged
@roman-vynar
Copy link

It is still broken. Now the role is set to the profile name instead of a role name, please see #45534 (comment)

@roadmapper roadmapper mentioned this issue Nov 25, 2018
Merged
This was referenced Dec 3, 2018
Merged
Merged
@ansible ansible locked and limited conversation to collaborators Jul 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affects_2.6 This issue/PR affects Ansible v2.6 aws bug This issue/PR relates to a bug. cloud module This issue/PR relates to a module. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
5 participants
@bcoca @roadmapper @roman-vynar @gchiesa @ansibot