I haven't done this myself, so everything I say may be wrong. The following is just from reading some doco and general experience.
Make sure you are running the latest and greatest versions of everything. In particular, the boto3 library. I don't know how to check that, but someone else here will. v4 keys have been around for a couple of years, so if you installed Ansible recently you should probably have the required versions. Make sure you explicitly specify v4 keys when creating objects. I would be looking at (probably) the values you are passing in to template_parameters. It might also we worth seeing if you can create the desired change set manually, either via the console or via the AWS CLI, just to check you really do have the parameters right. Regards, K. On Sun, Jan 13, 2019 at 12:40 AM Kishore Ponniah <[email protected]> wrote: > Hi Karl, > > Please find the playbook below: > > - name: create > rxgt-ps-cross-account-iam-atlas-developer-roles changeset > cloudformation: > stack_name: "rxgt-ps-cross-account-iam-atlas-developer-roles" > state: present > region: "{{ account_config.1 }}" > aws_access_key: "{{ account_config.0.sts_creds.access_key }}" > aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}" > security_token: "{{ account_config.0.sts_creds.session_token }}" > create_changeset: true > changeset_name: "{{ cf_changeset_name }}" > template_url: " > https://s3-eu-west-1.amazonaws.com/xxxxxxxx/cloudformation/xxxxxx-developer-roles.yaml > " > template_parameters: "{{ > account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].params > }}" > termination_protection: no > tags: "{{ global_tags | > combine(account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].override_tags, > recursive=True) }}" > loop: "{{ > assumed_roles_with_account_config.results|subelements('account_config.regions', > skip_missing=True) }}" > loop_control: > loop_var: account_config > label: "{{ account_config.0.account_config.account_alias }}:{{ > account_config.1 }}" > tags: > rxgt-ps-identity-stack-deploy > > - name: create rxgt-ps-cross-account-iam-atlas-developer-roles stack > cloudformation: > stack_name: "rxgt-ps-cross-account-iam-atlas-developer-roles" > state: present > region: "{{ account_config.1 }}" > aws_access_key: "{{ account_config.0.sts_creds.access_key }}" > aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}" > security_token: "{{ account_config.0.sts_creds.session_token }}" > create_changeset: false > changeset_name: "{{ cf_changeset_name }}" > template_url: " > https://s3-eu-west-1.amazonaws.com/xxxxxxxx/cloudformation/xxxxxx-developer-roles.yaml > " > template_parameters: "{{ > account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].params > }}" > termination_protection: no > tags: "{{ global_tags | > combine(account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].override_tags, > recursive=True) }}" > loop: "{{ > assumed_roles_with_account_config.results|subelements('account_config.regions', > skip_missing=True) }}" > loop_control: > loop_var: account_config > label: "{{ account_config.0.account_config.account_alias }}:{{ > account_config.1 }}" > when: with_stack_deploy > tags: > rxgt-ps-identity-stack-deploy > > =============================================================== > Error: > > TASK [create rxgt-ps-cross-account-iam-atlas-developer-roles changeset] > **************************************************************************************************** > An exception occurred during task execution. To see the full traceback, > use -vvv. The error was: For more information check > http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html > "Failed to create change set: <class 'Exception'>: An error occurred > (ValidationError) when calling the CreateChangeSet operation: S3 error: > Requests specifying Server Side Encryption with AWS KMS managed keys > require AWS Signature Version 4.\nFor more information check > http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html"} > > Thanks > Kishore > > > On Friday, January 11, 2019 at 9:45:17 PM UTC, Karl Auer wrote: >> >> You need to provide the actual playbook and the actual error. Use a >> fixed-width font when posting the playbook. >> >> On Sat, Jan 12, 2019 at 2:48 AM Kishore Ponniah <[email protected]> wrote: >> >>> Hi All, >>> >>> The template body has exceeded the maximum limit of 51200 bytes, so I >>> wanted to upload the template to an encrypted s3 bucket. When I run the >>> playbook it gives an error to explicitly mention s3v4. My config file has a >>> line for s3 v4 but still, it shows the same error. I have tested using a >>> non-encrypted bucket and works fine. >>> >>> Could someone please help? >>> >>> My config file below: I am having 2 profiles because I have to run a >>> SAML authentication to assume a role in build account and the deployment >>> runs from the build account. I tried to add the s3 line in those 2 profiles >>> but ended up with same error. >>> >>> [profile federated-login] >>> region = eu-west-1 >>> output = json >>> [profile federated-build] >>> region = eu-west-1 >>> output = json >>> s3 = >>> signature_version = s3v4 >>> >>> Thanks >>> Kishore >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/36c62048-0a24-422e-823e-ad7dbc1d2d8a%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/36c62048-0a24-422e-823e-ad7dbc1d2d8a%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> -- >> Karl Auer >> >> Email : [email protected] >> Website: http://2pisoftware.com >> >> GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816 >> Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA >> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/01ca4d9f-3d5f-4173-8e97-33f7eccdf025%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/01ca4d9f-3d5f-4173-8e97-33f7eccdf025%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Karl Auer Email : [email protected] Website: http://2pisoftware.com GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816 Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2B%2BT08RWSnyeC-cEKbvqmkBiXnk8L0qGw8LLpTK9u4B0T5s%2B7A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
