Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add boto3 session cache #24582

Closed
wants to merge 3 commits into from
Closed

Add boto3 session cache #24582

wants to merge 3 commits into from

Conversation

mixja
Copy link
Contributor

@mixja mixja commented May 14, 2017
edited
Loading

SUMMARY

This PR provides a session cache for boto3 assume role provider.

This is useful if you use AWS CLI profiles locally and use MFA when running Ansible locally, and don't want to have to input your MFA token each time you run your playbook.

Note that this cache is only invoked if boto3 invokes the assume-role provider, hence it does not affect operation if you have configured AWS credentials that don't require role assumption.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

ec2 utils

ANSIBLE VERSION
ansible 2.4.0
  config file =
  configured module search path = [u'/Users/jmenga/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.13 (default, Dec 18 2016, 07:03:39) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]
ADDITIONAL INFORMATION

Before this PR:

$ ansible-playbook site.yml 
PLAY [Test Play]

TASK [Execute a boto3 based module] ***************************************
Enter MFA code: *****
ok: [localhost]

PLAY RECAP ************************************************************************************
localhost                     : ok=1   changed=1    unreachable=0    failed=0

# Re-running the playbook requires you to enter your MFA token every time
$ ansible-playbook site.yml 
PLAY [Test Play]

TASK [Execute a boto3 based module] ***************************************
Enter MFA code: *****
ok: [localhost]

PLAY RECAP ************************************************************************************
localhost                     : ok=1   changed=1    unreachable=0    failed=0

After this PR:

$ ansible-playbook site.yml 
PLAY [Test Play]

TASK [Execute a boto3 based module] ***************************************
Enter MFA code: *****
ok: [localhost]

PLAY RECAP ************************************************************************************
localhost                     : ok=1   changed=1    unreachable=0    failed=0

# We can now run the playbook without MFA for up to the temporary session credential lifetime (typically one hour)
$ ansible-playbook site.yml 
PLAY [Test Play]

TASK [Execute a boto3 based module] ***************************************
ok: [localhost]

PLAY RECAP ************************************************************************************
localhost                     : ok=1   changed=1    unreachable=0    failed=0

@ansibot
Copy link
Contributor

ansibot commented May 14, 2017

cc @willthames
click here for bot help

@ansibot ansibot added affects_2.4 This issue/PR affects Ansible v2.4 aws c:module_utils/ cloud feature_pull_request needs_triage Needs a first human triage before being processed. labels May 14, 2017
@ansibot
Copy link
Contributor

ansibot commented May 14, 2017

The test ansible-test sanity --test pep8 failed with the following errors:

lib/ansible/module_utils/ec2.py:67:1: W293 blank line contains whitespace
lib/ansible/module_utils/ec2.py:153:1: W293 blank line contains whitespace

click here for bot help

@ansibot ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label May 14, 2017
@ansibot ansibot removed the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label May 14, 2017
@bcoca bcoca removed the needs_triage Needs a first human triage before being processed. label May 15, 2017
@ansibot ansibot added stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Jun 23, 2017
@ryansb ryansb self-requested a review August 4, 2017 18:23
@ansibot ansibot removed the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Aug 4, 2017
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Aug 16, 2017
@ansibot ansibot added needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Oct 4, 2017
@ansibot ansibot added feature This issue/PR relates to a feature request. and removed feature_pull_request labels Mar 2, 2018
@ansibot ansibot added support:community This issue/PR relates to code supported by the Ansible community. and removed support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Sep 18, 2018
@ansibot ansibot added support:core This issue/PR relates to code supported by the Ansible Engineering Team. and removed support:community This issue/PR relates to code supported by the Ansible community. labels Dec 15, 2018
@dsouzajude
Copy link

Any update on this feature?

@michalgasek
Copy link

I am interested in this also, any updates?

@mixja
Copy link
Contributor Author

mixja commented Mar 20, 2019

boto3 now includes native support for the session cache, would make sense to leverage that

@dsouzajude
Copy link

dsouzajude commented Mar 27, 2019
edited
Loading

Any updates yet? We'd like ansible to make boto use the awscli credential cache so we're not asked to provide mfa tokens repeatedly. The solution is already present here! Needs review and merging!

goneri
goneri reviewed Mar 27, 2019
View reviewed changes
lib/ansible/module_utils/ec2.py
os.makedirs(self._working_dir)
with os.fdopen(os.open(full_key,
os.O_WRONLY | os.O_CREAT, 0o600), 'w') as f:
f.truncate()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

f is already at 0, the truncate() is uselesss.

@s-hertel s-hertel requested review from s-hertel and removed request for ryansb March 27, 2019 15:43
goneri
goneri reviewed Mar 27, 2019
View reviewed changes
lib/ansible/module_utils/ec2.py
@@ -58,6 +60,48 @@ class AnsibleAWSError(Exception):
pass


class JSONFileCache(object):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you instead reuse the version from botocore?: https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L182-L224

s-hertel
s-hertel reviewed Mar 27, 2019
View reviewed changes
lib/ansible/module_utils/ec2.py
@@ -58,6 +60,48 @@ class AnsibleAWSError(Exception):
pass


class JSONFileCache(object):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a code snippet from mixja in boto/botocore#1157 (comment) that looks like a good way to go about this. Ideally this would be enabled for boto3 via config (here are a couple issues tracking that boto/boto3#1179, boto/botocore#1148) and require minimal if any code changes to Ansible. It appears other SDKs keeping parity may be part of the hold-up for that though.

@jankeesvanandel
Copy link

What's the status of this PR? It's really annoying having to type the token each time I run a script.

@willthames
Copy link
Contributor

@jankeesvanandel the status is that the feedback hasn't been addressed and it needs rebasing to avoid merge conflicts.

If you're happy with the code you can just use the file in your own environment:

http://willthames.github.io/2017/12/12/using-updated-modules-with-stable-ansible.html

@gundalow
Copy link
Contributor

This PR has needed a rebase since October 2017.

@jankeesvanandel Would you be interested in creating a fresh PR for this?

@gundalow gundalow closed this Sep 19, 2019
@ansible ansible locked and limited conversation to collaborators Oct 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@goneri goneri goneri left review comments

@s-hertel s-hertel s-hertel left review comments

Assignees
No one assigned
Labels
affects_2.4 This issue/PR affects Ansible v2.4 aws c:module_utils/ cloud feature This issue/PR relates to a feature request. module_utils/ needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@mixja @ansibot @dsouzajude @michalgasek @jankeesvanandel @willthames @gundalow @goneri @s-hertel @bcoca