New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
s3.get module not working due to invalid role_arn handling #30899
Comments
@kluoto, thanks for the report. Will you also post the command line you are using that results in this error? |
|
@jfindlay This was part of my orchestration. State part that failed was: download_the_pkg_file:
module.run:
- name: s3.get
- bucket: {{ bucket }}
- location: {{ aws_location }}
- path: {{ pkg_file }}
- local_file: {{ local_pkg_file }} I made quick patch to my system by adding line: if not role_arn:
role_arn = None to end of the _get_key function in salt/modules/s3.py |
@timcharper, do you have any ideas on this one? |
I am so, so ashamed of myself. Sorry. Ugh. I suck. I tested the role_arn assumption because that is what my environment uses, but I didn't think to test that it worked with a role_arn. I'll get a patch fixing this today, and a workaround. (maybe a sed script to patch salt). Seriously sorry about this. |
If the s3.role_arn isn't set, it looks like config.option just returns an empty string. Changing
to
does the trick for me (similar to fix from @kluoto above), but perhaps there's a better fix... This sed does it...
Do the other checks in that function on the config.options need to be changed to? |
Still looking at this. Present question, why is |
My mistake was assuming that the |
added a regression test |
I had the assumption that the reason why s3.role_arn: # nothing here lol But that turned out to be wrong. I'm not sure why This issue should be able to be worked around by simply adding this to your minion config (I believe this value can be propagate through pillar data, as well). You shouldn't need to edit the code. s3.role_arn: That will cause Again, to the thousands of people I probably inconvenienced by this mistake: I'm sorry. |
more oddities (at least I find it odd): adding s3.role_arn on a masterless does not fix it: masterful minion:
masterless minion
even more odd, on a masterless if you config.option just s3, it does return None for role_arn
|
Sorry, I am a bonehead. The masterful was returning None because I had created a pillar to assign s3.role_arn already (sigh). A masterless with a pillar containing an empty s3.role_arn returns None as well. Adding it to the minion config only in either scenario returns an empty string. Not sure if that is "as expected" or not... |
@lomeroe I've confirmed, locally, that adding the line |
@timcharper your right, using a single line as opposed to how I originally entered it in an included conf file above does indeed return None |
@timcharper, thanks for your work on this. |
@timcharper Defining a blank s3.role_arn fixes the issue when I run highstate directly on the minion but fails during s3.get when I execute a highstate from the master. I don't understand what would cause that |
Salt version 2015.8.4
2016-02-04 14:29:27,694 [salt.utils.aws ][INFO ][11995] AssumeRole response: {"Error":{"Code":"SignatureDoesNotMatch","Message":"Credential should be scoped to a valid region, not 'eu-central-1'. ","Type":"Sender"},"RequestId":"b225b6f9-cb4b-11e5-8724-17b3d4e5f0fc"}
2016-02-04 14:29:27,695 [salt.state ][ERROR ][11995] Module function s3.get threw an exception. Exception: 403 Client Error: Forbidden
Reason for the problem:
The text was updated successfully, but these errors were encountered: