I have a ansible.pem to access ec2 instances through ssh. and have setup AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY env variables (on local machine) for command line interaction using awscli tools.
If my AWS keys does not have sufficient right , ec2_vol module fails to attach ebs volume with error :
TASK: [ebs | Attach an EBS volume] ********************************************
failed: [xx.xxx.xx.xxx] => {"failed": true, "parsed": false}
BECOME-SUCCESS-fdqcthxzjixxkijwubcwvbrpewsoddzq
Traceback (most recent call last):
File "/home/ubuntu/.ansible/tmp/ansible-tmp-1441346127.43-122295948181124/ec2_vol", line 2260, in <module>
main()
File "/home/ubuntu/.ansible/tmp/ansible-tmp-1441346127.43-122295948181124/ec2_vol", line 420, in main
reservation = ec2.get_all_instances(instance_ids=instance)
File "/usr/local/lib/python2.7/dist-packages/boto/ec2/connection.py", line 585, in get_all_instances
max_results=max_results)
File "/usr/local/lib/python2.7/dist-packages/boto/ec2/connection.py", line 681, in get_all_reservations
[('item', Reservation)], verb='POST')
File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 1186, in get_list
raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InvalidInstanceID.NotFound</Code><Message>The instance ID 'i-xxxxxx' does not exist</Message></Error></Errors><RequestID>742e5c72-211e-4c65-8f88-797b9b5f5e4f</RequestID></Response>
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/xxxxxx/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: auto-mux: Trying existing master
debug1: mux_client_request_session: master session id: 2
Shared connection to 54.203.61.209 closed.
Particular task that fails:
# Attach new EBS volume
- name: Attach an EBS volume
ec2_vol:
instance: "{{ansible_ec2_instance_id}}"
volume_size: "{{ebs_volume_size}}"
region: "{{ansible_ec2_placement_region}}"
device_name: "sd{{next_ebs_device}}"
aws_access_key: "{{aws_access_key}}"
aws_secret_key: "{{aws_secret_key}}"
register: ebs
Now from command line when I run command:
aws ec2 describe-instances --output table --query 'Reservations[].Instances[].[InstanceId,InstanceType]'
I don't see particular instance in the output, which confirm that AWS Keys does not have sufficient access rights or scope to access the instance.
So my question is , how I can validate that the AWS keys have sufficient access rights to specific AWS services.
What I tried is list ebs volume e.g
- name: Validate AWS credentails
ec2_vol:
state: list
instance: "{{ansible_ec2_instance_id}}"
region: "{{ansible_ec2_placement_region}}"
aws_access_key: "{{aws_access_key}}"
aws_secret_key: "{{aws_secret_key}}"
when: attach_ebs == True
register: ebs_instances
However, this task does not give me any error as above ,probably list command requires different level of access rights. What I was expecting was it should also fails , as instance in question is same.
Aucun commentaire:
Enregistrer un commentaire