Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iam_role not idempotent #70161

Closed
mdavis-xyz opened this issue Jun 19, 2020 · 4 comments
Closed

iam_role not idempotent #70161

mdavis-xyz opened this issue Jun 19, 2020 · 4 comments
Labels
affects_2.9 This issue/PR affects Ansible v2.9 aws bug This issue/PR relates to a bug. cloud collection:community.aws collection Related to Ansible Collections work module This issue/PR relates to a module. needs_collection_redirect https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md python3 support:community This issue/PR relates to code supported by the Ansible community. traceback This issue/PR includes a traceback.

Comments

@mdavis-xyz
Copy link
Contributor

SUMMARY

If I try to create an IAM role, I can.
When I run the task a second time, it fails, because I don't have iam:UpdateAssumeRolePolicy permissions in my IAM role.

But if the role policy document hasn't changed, I shouldn't need iam:UpdateAssumeRolePolicy.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

iam_role

ANSIBLE VERSION
$ ansible --version
ansible 2.9.0
  config file = /home/ec2-user/.ansible.cfg
  configured module search path = ['/home/ec2-user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ec2-user/.local/lib/python3.6/site-packages/ansible
  executable location = /home/ec2-user/.local/bin/ansible
  python version = 3.6.10 (default, Feb 10 2020, 19:55:14) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

Note that I tried to reproduce this off the devel branch, but got

ERROR! couldn't resolve module/action 'iam_role'. This often indicates a misspelling, missing collection, or incorrect module path.

It seems that all the cloud modules have been removed from devel?
link
Is that deliberate?

CONFIGURATION
ANSIBLE_PIPELINING(/home/ec2-user/.ansible.cfg) = True
DEFAULT_LOCAL_TMP(/home/ec2-user/.ansible.cfg) = /dev/shm/ansible/tmp_local/ansible-local-12013vjaxtg0x
OS / ENVIRONMENT

Amazon Linux

STEPS TO REPRODUCE
---
- hosts: localhost
  connection: local
  tasks:
  - name: "Create role for SMS logging"
    iam_role:
      name: SNSSMSDeliveryStatusLogging
      assume_role_policy_document: 
        Statement:
        - Action:
          - "sts:AssumeRole"
          Effect: Allow
          Principal:
            Service:
            - "sns.amazonaws.com"
      managed_policy:
 
        # let SNS log to CloudWatch
        - "arn:aws:iam::aws:policy/service-role/AmazonSNSRole"
      boundary: "arn:aws:iam::aws:policy/PowerUserAccess" # should be "{{ boundary_policy_arn }}"
      create_instance_profile: False # must be false when assigning a boundary policy

Run this playbook twice, running this as an IAM role with iam:UpdateAssumeRolePolicy denied.

EXPECTED RESULTS

The playbook should succeed. The first run creates the role. The second run does nothing,

ACTUAL RESULTS

The first run successfully creates the role.
When I try the second time:

TASK [Create role for SMS logging] *****************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the UpdateAssumeRolePolicy operation: User: arn:aws:sts::123456:assumed-role/deployer/i-abc is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role SNSSMSDeliveryStatusLogging
fatal: [localhost]: FAILED! => changed=false 
  error:
    code: AccessDenied
    message: 'User: arn:aws:sts::123456:assumed-role/deployer/i-abc is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role SNSSMSDeliveryStatusLogging'
    type: Sender
  msg: 'Unable to update assume role policy for role SNSSMSDeliveryStatusLogging: An error occurred (AccessDenied) when calling the UpdateAssumeRolePolicy operation: User: arn:aws:sts::123456:assumed-role/deployer/i-abcd is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role SNSSMSDeliveryStatusLogging'
  response_metadata:
    http_headers:
      content-length: '420'
      content-type: text/xml
      date: Fri, 19 Jun 2020 05:46:33 GMT
      x-amzn-requestid: 576771dd-620d-4ed9-b3e1-d9638f879437
    http_status_code: 403
    request_id: 576771dd-620d-4ed9-b3e1-d9638f879437
    retry_attempts: 0

I wondered whether it's because assume_role_policy_document converts the yaml to json in a non-deterministic way. When I extracted that policy into json and did lookup('file', 'policy.json'), the result is the same. So I don't think that's the cause.
@ansibot
Copy link
Contributor

ansibot commented Jun 19, 2020

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Jun 19, 2020

@mlda065, just so you are aware we have a dedicated Working Group for aws.
You can find other people interested in this in #ansible-aws on Freenode IRC
For more information about communities, meetings and agendas see https://github.com/ansible/community

click here for bot help

@ansibot ansibot added affects_2.9 This issue/PR affects Ansible v2.9 aws bug This issue/PR relates to a bug. cloud collection Related to Ansible Collections work collection:community.aws module This issue/PR relates to a module. needs_collection_redirect https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md needs_triage Needs a first human triage before being processed. python3 support:community This issue/PR relates to code supported by the Ansible community. traceback This issue/PR includes a traceback. labels Jun 19, 2020
@mkrizek
Copy link
Contributor

mkrizek commented Jun 19, 2020

Thank you very much for your interest in Ansible. This plugin is no longer maintained in this repository and has been migrated to https://github.com/ansible-collections/community.aws.

Please re-submit this issue in the above repository.

If you have further questions please stop by IRC or the mailing list:

@mkrizek mkrizek closed this as completed Jun 19, 2020
@mkrizek mkrizek removed the needs_triage Needs a first human triage before being processed. label Jun 19, 2020
@mdavis-xyz mdavis-xyz mentioned this issue Jun 19, 2020
Closed
@mdavis-xyz
Copy link
Contributor Author

There's no Ansibot in the new repo, and it seems I can't tag the original author from that thread either, probably because the author hasn't yet 'joined' the repo.

@wimnat can you please have a look at ansible-collections/community.aws#115 and comment on it?

(Not sure if you're aware, but apparently all AWS Ansible modules have been moved to that other repo.)

@ansible ansible locked and limited conversation to collaborators Jul 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affects_2.9 This issue/PR affects Ansible v2.9 aws bug This issue/PR relates to a bug. cloud collection:community.aws collection Related to Ansible Collections work module This issue/PR relates to a module. needs_collection_redirect https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md python3 support:community This issue/PR relates to code supported by the Ansible community. traceback This issue/PR includes a traceback.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mkrizek @ansibot @mdavis-xyz