Home / server / Questions / 819239
Accepted
M. Glatki
Asked: 2016-12-08 02:24:54 +0800 CST

How to use a AWS EC2 Iam role with Ansible

  • 772

I am running Ansible on an EC2 instance with an assigned Iam role. I am running this playbook:

$ cat s3.yaml
---
- hosts: localhost
  remote_user: ec2-user
  tasks:
    - name: download ec2.py from s3
      s3:
        bucket: mybucket
        object: /ec2.py
        dest: /tmp/ec2.py
        mode: get

Running it with -vvv provides this error message:

fatal: [localhost]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "invocation": {
        "module_args": {
            "aws_access_key": null, 
            "aws_secret_key": null, 
            "bucket": "mybucket", 
            "dest": "/tmp/ec2.py", 
            "ec2_url": null, 
            "encrypt": true, 
            "expiry": "600", 
            "headers": null, 
            "marker": null, 
            "max_keys": "1000", 
            "metadata": null, 
            "mode": "get", 
            "object": "/ec2.py", 
            "overwrite": "always", 
            "permission": [
                "private"
            ], 
            "prefix": null, 
            "profile": null, 
            "region": null, 
            "retries": 0, 
            "rgw": false, 
            "s3_url": null, 
            "security_token": null, 
            "src": null, 
            "validate_certs": true, 
            "version": null
        }, 
        "module_name": "s3"
    }, 
    "msg": "Source bucket cannot be found"
}

According to documentation, Ansible with boto should be able to pick up the EC2 instance role.

So far I have:

  • Tried the documentation, which implies that it should just work.
  • Verified my boto version is new enough (boto 2.42)
  • Verified the EC2 instance role has the correct permissions (aws s3 cp s3://mybucket/ec2.py /tmp/ec2.py works just fine)
  • Verified the EC2 instance credentials are available through curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

This answered question and the documentation indicates that it is possible.

Can I accomplish this without making the instance credentials available to boto/ansible directly? If yes, how. The documentation seems a bit lacking.

amazon-ec2 amazon-web-services ansible ansible-playbook amazon-iam

2 Answers

  1. Best Answer

    After some more debugging and experimenting, I found the cause of the problem to be a bug in the Ansible S3 module.

    The ansible playbook I quoted in my original question only works if the IAM role has ListBucket permissions in addition to the GetObject permissions.

    • 1

  2. I am experiencing exactly the same problem. I found out that if I provide AWS access key ID and secret access key via ansible playbook, it will work and download the object from S3. Running it as an ansible command with keys provided in-line also works. Therefore, the message "Source bucket cannot be found" is misleading and this is due to Ansible not being able to use IAM role.

    There is a bug ticket in Ansible GitHub (I guess opened by the same author) but it is still not resolved.

    • 0