Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix lambda_event AWS account_id query to work with AWS role #60645

Open
wants to merge 1 commit into
base: devel
from

Conversation

@bfloyd89
Copy link
Contributor

commented Aug 15, 2019

SUMMARY

Fixes lambda_event module to be able query AWS account id when AWS role is used for AWS access keys instead of AWS user.

I ran into an issue where the aws account query against IAM works when AWS credentials are gotten from a user but when I use a role I get error "botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the GetUser operation: Must specify userName when calling with non-User credentials". Looking at the sts docs https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html, the get_caller_identity function does not require any specific AWS permissions so I think it is a good alternative.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

lambda_event

ADDITIONAL INFORMATION
[bfloyd@xxx ansible]$ python2.7
Python 2.7.6 (default, Jun 20 2014, 10:16:54)
[GCC 4.4.6 20120305 (Red Hat 4.4.6-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> print boto3.client('iam').get_user()
{u'User': {u'UserName': 'bfloyd', u'PasswordLastUsed': datetime.datetime(2018, 1, 9, 16, 51, 36, tzinfo=tzlocal()), u'CreateDate': datetime.datetime(2013, 8, 29, 17, 35, 33, tzinfo=tzlocal()), u'UserId': 'AIDAIO4UAWJTZFYA5GBLE', u'Path': '/', u'Arn': 'arn:aws:iam::230700467799:user/bfloyd'}, 'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': '36c19751-bf70-11e9-b14f-f1ca31a7cdab', 'HTTPHeaders': {'x-amzn-requestid': '36c19751-bf70-11e9-b14f-f1ca31a7cdab', 'date': 'Thu, 15 Aug 2019 15:20:28 GMT', 'content-length': '525', 'content-type': 'text/xml'}}}
>>> exit()
[bfloyd@xxx ansible]$ source ~/aws_creds_role
[bfloyd@xxx ansible]$ python2.7
Python 2.7.6 (default, Jun 20 2014, 10:16:54)
[GCC 4.4.6 20120305 (Red Hat 4.4.6-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> print boto3.client('iam').get_user()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the GetUser operation: Must specify userName when calling with non-User credentials
>>> exit()
Fix lambda_event AWS account_id query to work with AWS role
I ran into an issue where the aws account query against IAM works when AWS credentials are gotten from a user but when I use a role I get error "botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the GetUser operation: Must specify userName when calling with non-User credentials". Looking at the sts docs https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html, the get_caller_identity function does not require any specific AWS permissions so I think it is a good alternative.
@ansibot

This comment has been minimized.

Copy link
Contributor

commented Aug 15, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Aug 15, 2019

@bfloyd89, just so you are aware we have a dedicated Working Group for aws.
You can find other people interested in this in #ansible-aws on Freenode IRC
For more information about communities, meetings and agendas see https://github.com/ansible/community

click here for bot help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.