Uploaded image for project: 'Ansible Cloud Automation'
  1. Ansible Cloud Automation
  2. ACA-1969

[community.aws/1979] Unable to use aws_ssm connection with cross-account shared bucket

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      https://github.com/ansible-collections/community.aws/issues/1979

          1. Summary

      When trying to use a single organization bucket for cross-account connection, the aws_ssm connection plugin fails with

      ```
      An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetBucketLocation operation: Access Denied
      ```

      This happens even though the assumed role has the s3:GetBucketLocation permission granted (we have double checked, s3:* in the role and explicit s3:GetBucketLocation in the bucket policy).

      The root of the issue is that, according to the CLI help,

      > To use this implementation of the operation, you must be the bucket owner.

      The [online API documentation](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLocation.html) does not mention it, although it says the call is supported only for backwards compatibility and advises the usage of HeadBucket.

      Switching to HeadBucket API call would involve changin the code from

      ```python
      bucket_location = tmp_s3_client.get_bucket_location(
      Bucket=(self.get_option("bucket_name")),
      )
      bucket_region = bucket_location["LocationConstraint"]
      ```

      to something like

      ```python
      head_bucket = tmp_s3_client.head_bucket(
      Bucket=(self.get_option("bucket_name")),
      )
      bucket_region = head_bucket["ResponseMetadata"]["HTTPHeaders"]["x-amz-bucket-region"]
      ```

          1. Issue Type

      Bug Report

          1. Component Name

      aws_ssm

          1. Ansible Version

      ```console (paste below)
      $ ansible --version
      ansible [core 2.15.5]
      config file = None
      configured module search path = ['/actions-runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
      ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
      ansible collection location = /actions-runner/.ansible/collections:/usr/share/ansible/collections
      executable location = /usr/local/bin/ansible
      python version = 3.11.5 (main, Sep 20 2023, 10:46:56) [GCC 12.2.0] (/usr/local/bin/python)
      jinja version = 3.1.2
      libyaml = True
      ```

          1. Collection Versions

      ```console (paste below)
      $ ansible-galaxy collection list

      1. /actions-runner/.ansible/collections/ansible_collections
        Collection Version
                              • -------
                                amazon.aws 6.5.0
                                community.aws 6.4.0
                                ```
          1. AWS SDK versions

      ```console (paste below)
      $ pip show boto boto3 botocore
      WARNING: Package(s) not found: boto
      Name: boto3
      Version: 1.28.69
      Summary: The AWS SDK for Python
      Home-page: https://github.com/boto/boto3
      Author: Amazon Web Services
      Author-email:
      License: Apache License 2.0
      Location: /usr/local/lib/python3.11/site-packages
      Requires: botocore, jmespath, s3transfer
      Required-by:

      Name: botocore
      Version: 1.31.69
      Summary: Low-level, data-driven core of boto 3.
      Home-page: https://github.com/boto/botocore
      Author: Amazon Web Services
      Author-email:
      License: Apache License 2.0
      Location: /usr/local/lib/python3.11/site-packages
      Requires: jmespath, python-dateutil, urllib3
      Required-by: awscli, boto3, s3transfer
      ```

          1. Configuration

      ```console (paste below)
      $ ansible-config dump --only-changed
      CONFIG_FILE() = None
      ```

          1. OS / Environment

      Debian GNU/Linux 12 (bookworm)

          1. Steps to Reproduce

      <!--- Paste example playbooks or commands between quotes below -->
      ```yaml (paste below)

      • name: Minimal playbook
        hosts: all
        become: false
        gather_facts: true
        tasks:
      • name: Ping
        ansible.builtin.ping:
        become: true
        ```
          1. Expected Results

      Expected playbook to run to end.

          1. Actual Results

      ```console (paste below)
      PLAY [all] *********************************************************************

      TASK [Gathering Facts] *********************************************************
      An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetBucketLocation operation: Access Denied
      fatal: [i-00a8cb5930bd5f7dc]: FAILED! =>

      {"msg": "Unexpected failure during module execution: An error occurred (AccessDenied) when calling the GetBucketLocation operation: Access Denied", "stdout": ""}

      PLAY RECAP *********************************************************************
      i-00a8cb5930bd5f7dc : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
      ```

          1. Code of Conduct
      • [X] I agree to follow the Ansible Code of Conduct

              Unassigned Unassigned
              jrouleau Jill Rouleau
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: