-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
Unspecified
-
False
-
-
False
-
-
https://github.com/ansible-collections/community.aws/issues/1540
-
-
- Summary
-
I am trying to run powershell scripts on a remote windows server on a different account and region but it's failing when deleting the object in the ssm config bucket. SSM is able to upload the script on the config bucket but is failing on deletion
File "/home/circleci/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 628, in _file_transport_command
client.delete_object(Bucket=self.get_option('bucket_name'), Key=s3_path)
-
-
- Issue Type
-
Bug Report
-
-
- Component Name
-
File "/home/circleci/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 628, in _file_transport_command
DeleteObject is denied when running commands on a remote instance in a separate account and different region:
SSM is invoked in eu-west-1 and the target is an instance in a separate account in ap-southeast-2
-
-
- Ansible Version
-
```console (paste below)
$ ansible --version
ansible [core 2.13.4]
config file = None
configured module search path = ['/home/circleci/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/circleci/.local/lib/python3.8/site-packages/ansible
ansible collection location = /home/circleci/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
jinja version = 3.1.2
libyaml = True
```
-
-
- Collection Versions
-
```console (paste below)
$ ansible-galaxy collection list
- /home/circleci/.ansible/collections/ansible_collections
Collection Version-
-
-
-
-
-
-
-
-
-
-
- -------
amazon.aws 4.2.0
community.aws 4.2.0
- -------
-
-
-
-
-
-
-
-
-
-
-
- /home/circleci/.local/lib/python3.8/site-packages/ansible_collections
Collection Version-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- -------
amazon.aws 3.4.0
ansible.netcommon 3.1.1
ansible.posix 1.4.0
ansible.utils 2.6.1
ansible.windows 1.11.1
arista.eos 5.0.1
awx.awx 21.5.0
azure.azcollection 1.13.0
check_point.mgmt 2.3.0
chocolatey.chocolatey 1.3.0
cisco.aci 2.2.0
cisco.asa 3.1.0
cisco.dnac 6.6.0
cisco.intersight 1.0.19
cisco.ios 3.3.1
cisco.iosxr 3.3.1
cisco.ise 2.5.3
cisco.meraki 2.11.0
cisco.mso 2.0.0
cisco.nso 1.0.3
cisco.nxos 3.1.1
cisco.ucs 1.8.0
cloud.common 2.1.2
cloudscale_ch.cloud 2.2.2
community.aws 3.5.0
community.azure 1.1.0
community.ciscosmb 1.0.5
community.crypto 2.5.0
community.digitalocean 1.21.0
community.dns 2.3.2
community.docker 2.7.1
community.fortios 1.0.0
community.general 5.6.0
community.google 1.0.0
community.grafana 1.5.2
community.hashi_vault 3.2.0
community.hrobot 1.5.2
community.libvirt 1.2.0
community.mongodb 1.4.2
community.mysql 3.5.1
community.network 4.0.1
community.okd 2.2.0
community.postgresql 2.2.0
community.proxysql 1.4.0
community.rabbitmq 1.2.2
community.routeros 2.3.0
community.sap 1.0.0
community.sap_libs 1.3.0
community.skydive 1.0.0
community.sops 1.4.0
community.vmware 2.9.1
community.windows 1.11.0
community.zabbix 1.8.0
containers.podman 1.9.4
cyberark.conjur 1.2.0
cyberark.pas 1.0.14
dellemc.enterprise_sonic 1.1.2
dellemc.openmanage 5.5.0
dellemc.os10 1.1.1
dellemc.os6 1.0.7
dellemc.os9 1.0.4
f5networks.f5_modules 1.19.0
fortinet.fortimanager 2.1.5
fortinet.fortios 2.1.7
frr.frr 2.0.0
gluster.gluster 1.0.2
google.cloud 1.0.2
hetzner.hcloud 1.8.2
hpe.nimble 1.1.4
ibm.qradar 2.1.0
ibm.spectrum_virtualize 1.9.0
infinidat.infinibox 1.3.3
infoblox.nios_modules 1.3.0
inspur.ispim 1.0.1
inspur.sm 2.0.0
junipernetworks.junos 3.1.0
kubernetes.core 2.3.2
mellanox.onyx 1.0.0
netapp.aws 21.7.0
netapp.azure 21.10.0
netapp.cloudmanager 21.19.0
netapp.elementsw 21.7.0
netapp.ontap 21.23.0
netapp.storagegrid 21.11.0
netapp.um_info 21.8.0
netapp_eseries.santricity 1.3.1
netbox.netbox 3.7.1
ngine_io.cloudstack 2.2.4
ngine_io.exoscale 1.0.0
ngine_io.vultr 1.1.2
openstack.cloud 1.9.1
openvswitch.openvswitch 2.1.0
ovirt.ovirt 2.2.3
purestorage.flasharray 1.13.0
purestorage.flashblade 1.10.0
purestorage.fusion 1.1.0
sensu.sensu_go 1.13.1
servicenow.servicenow 1.0.6
splunk.es 2.1.0
t_systems_mms.icinga_director 1.31.0
theforeman.foreman 3.6.0
vmware.vmware_rest 2.2.0
vultr.cloud 1.1.0
vyos.vyos 3.0.1
wti.remote 1.0.4
```
- -------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AWS SDK versions
-
```console (paste below)
$ pip show boto boto3 botocore
WARNING: Package(s) not found: boto
Name: boto3
Version: 1.24.82
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /home/circleci/.local/lib/python3.8/site-packages
Requires: s3transfer, botocore, jmespath
Required-by:
—
Name: botocore
Version: 1.27.82
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /home/circleci/.local/lib/python3.8/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: s3transfer, boto3
```
-
-
- Configuration
-
```console (paste below)
$ ansible-config dump --only-changed
bash: ansible-config: command not found
```
-
-
- OS / Environment
-
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.4 LTS"
-
-
- Steps to Reproduce
-
<!--- Paste example playbooks or commands between quotes below -->
deploy.yml
```yaml (paste below)
- name: Assume role
hosts: localhost
tasks: - sts_assume_role:
role_arn: "arn:aws:iam::354840654034:role/tvx-test-runner-deploy"
role_session_name: "sydney_sample"
region: ap-southeast-2
duration_seconds: 900
register: assumed_role
no_log: false
- name: run command
hosts: sydney
gather_facts: false
vars:
ansible_aws_ssm_access_key_id: "{{ hostvars['localhost']['assumed_role']['sts_creds']['access_key'] }}"
ansible_aws_ssm_secret_access_key: "{{ hostvars['localhost']['assumed_role']['sts_creds']['secret_key'] }}"
ansible_aws_ssm_session_token: "{{ hostvars['localhost']['assumed_role']['sts_creds']['session_token'] }}"
tasks: - name: debug
debug: var=ansible_aws_ssm_access_key_id - name: Shell
win_command: hostname
```
inventory.yml
```
[sydney]
i-00b51caa9f0d972ed
[sydney:vars]
ansible_connection = community.aws.aws_ssm
ansible_aws_ssm_region = ap-southeast-2
ansible_shell_type = powershell
ansible_aws_ssm_bucket_name = ssmsamplebucket-ireland
```
command:
```
ansible-playbook -i inventory.ini deploy.yml
```
-
-
- Expected Results
-
TASK [Shell] *****************************************************************************************************************************************************************************************************
task path: /home/circleci/playbooks/deploy.yml:22
redirecting (type: modules) ansible.builtin.win_command to ansible.windows.win_command
redirecting (type: modules) ansible.builtin.win_command to ansible.windows.win_command
changed: [i-00b51caa9f0d972ed] =>
-
-
- Actual Results
-
```console (paste below)
<i-00b51caa9f0d972ed> ssm_retry: attempt: 2, caught exception(An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied) from cmd (/home/ssm-user/.ansible/tmp/ansible-local-203313twil_u_x/tmppcwuj2fc...), pausing for 3 seconds
<i-00b51caa9f0d972ed> CLOSING SSM CONNECTION TO: i-xxxxxx
<i-00b51caa9f0d972ed> ESTABLISH SSM CONNECTION TO: i-xxxxxxx
<i-00b51caa9f0d972ed> SSM CONNECTION ID: sydney_sample-xxxxxxxx
<i-00b51caa9f0d972ed> EXEC Invoke-WebRequest 'https://tvx-ci-ssm-bucket.s3.amazonaws.com/i-00b51caa9f0d972ed/C%3A/Windows/TEMP/ansible-tmp-1664386390.7079988-203385-78361209385456/AnsiballZ_win_command.ps1?xxxxx' -OutFile 'C:\Windows\TEMP\ansible-tmp-1664386390.7079988-203385-78361209385456\AnsiballZ_win_command.ps1'
<i-00b51caa9f0d972ed> (0, '', '')
<i-00b51caa9f0d972ed> EXEC PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand xxxx
<i-00b51caa9f0d972ed> (0, '', '')
<i-00b51caa9f0d972ed> CLOSING SSM CONNECTION TO: i-xxxxxxx
The full traceback is:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ansible/executor/task_executor.py", line 147, in run
res = self._execute()
File "/usr/lib/python3.6/site-packages/ansible/executor/task_executor.py", line 665, in _execute
result = self._handler.run(task_vars=variables)
File "/usr/lib/python3.6/site-packages/ansible/plugins/action/normal.py", line 47, in run
result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
File "/usr/lib/python3.6/site-packages/ansible/plugins/action/_init_.py", line 852, in _execute_module
self._transfer_data(remote_module_path, module_data)
File "/usr/lib/python3.6/site-packages/ansible/plugins/action/_init_.py", line 463, in _transfer_data
self._transfer_file(afile, remote_path)
File "/usr/lib/python3.6/site-packages/ansible/plugins/action/_init_.py", line 440, in _transfer_file
self._connection.put_file(local_path, remote_path)
File "/home/ssm-user/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 646, in put_file
return self._file_transport_command(in_path, out_path, 'put')
File "/home/ssm-user/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 241, in wrapped
return_tuple = func(self, *args, **kwargs)
File "/home/ssm-user/.ansible/collections/ansible_collections/community/aws/plugins/connection/aws_ssm.py", line 628, in _file_transport_command
client.delete_object(Bucket=self.get_option('bucket_name'), Key=s3_path)
File "/home/ssm-user/.local/lib/python3.6/site-packages/botocore/client.py", line 508, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/ssm-user/.local/lib/python3.6/site-packages/botocore/client.py", line 911, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
fatal: [i-00b51caa9f0d972ed]: FAILED! =>
```
-
-
- Code of Conduct
-
- [X] I agree to follow the Ansible Code of Conduct