Hi Andrew,
instance profiles do work without any issues, from the error msg: Failed to
connect to S3: 'module' object has no attribute 'connect_to_region'
seems like boto is not installed properly, how did you install boto ? can
you please try reinstalling boto and check.
- Benno
On Fri, Jun 19, 2015 at 9:51 AM, Andrew Burrow <
andrew.bur...@syntegrity.com.au> wrote:
> I am unable to make use of IAM roles in my Ansible playbooks.
> Specifically, I have authorised an EC2 instance to get from an S3 bucket,
> but I cannot work out how to make use of this authorisation from within
> Ansible.
>
>
> *The question*
>
> How do I write Ansible task(s) that satisfies all the following :
>
> 1. Runs on an EC2 instance
> 2. Uses the IAM role defined on the EC2 instance to obtain
> authorisation to access an S3 bucket
> 3. Gets a file from the S3 bucket
>
>
> *A work around*
>
> I can get the EC2 instance to download from S3, only by passing in my
> credentials as follows:
>
> - name: Download the part archive from S3
> s3:
> aws_access_key: "{{ lookup('env','aws_key') }}"
> aws_secret_key: "{{ lookup('env','aws_secret') }}"
> region: "{{ aws_packages_region }}"
> bucket: "{{ aws_packages_bucket }}"
> object: "/JI79IML/my_part_X86_64_c7.15.tar.gz"
> dest: "/data/parts/JI79IML/my_part_X86_64_c7.15.tar.gz"
> mode: get
> overwrite: no
>
> However, I would rather not send my AWS credentials to the instance.
> Instead I have defined a role with the appropriate permissions to get files
> from the S3 bucket.
>
>
> *What I've tried*
>
> The top answer in the stack overflow question linked below, suggests that
> it is simple matter of leaving the secret access key parameters out, and
> letting the Boto library take care of assuming the role.
>
> - http://stackoverflow.com/questions/28997757/ansible-and-s3-module
>
> However, when I try this with Ansible 1.8.4 and Boto 2.36.0 I get
>
> msg: No handler was ready to authenticate. 1 handlers were checked. [
> 'HmacAuthV1Handler'] Check your credentials
>
> and with Ansible 1.9.1 and Boto 2.38.0 I get:
>
> msg: Failed to connect to S3: 'module' object has no attribute
> 'connect_to_region'
>
>
> *How I've confirmed the IAM role*
>
> To confirm that the IAM role is *sufficient*, I installed awscli on the
> EC2 instance and performed the download directly. First, I assumed the role
>
> aws sts assume-role --role-arn "${ROLE_ARN}" --role-session-name
> "GettingMyPart"
>
> which returns an absolutely baffling error message that the user with the
> assumed role cannot assume the role?!? But seems to do the trick, because
> I can then download the part
>
> aws s3api get-object --bucket "${BUCKET_NAME}" --key JI79IML/
> my_part_X86_64_c7.15.tar.gz my_part_X86_64_c7.15.tar.gz
>
> To confirm that the IAM role is *required*, I created another instance
> that does not enjoy a role and installed awscli on this second EC2
> instance and followed the above steps. In each case, I got the message
> "Unable to locate credentials" as expected
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/550cc437-c0b2-4999-8710-cf87e28f45e6%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/550cc437-c0b2-4999-8710-cf87e28f45e6%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAFUV_d5q0J_1Yk47wQvW5jrPbSWmwOa_y1FNvtbbBNXxMLZP1Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
