From 959cd1d81acda357cf28c661231f06b22928840f Mon Sep 17 00:00:00 2001 From: abikouo <79859644+abikouo@users.noreply.github.com> Date: Tue, 22 Mar 2022 11:58:18 +0100 Subject: [PATCH] inventory aws_ec2 - assume role using iam_role_arn parameter to describe regions (#624) inventory aws_ec2 - assume role using iam_role_arn parameter to describe regions SUMMARY This is a proposal to solve #566 ISSUE TYPE Feature Pull Request COMPONENT NAME aws_ec2 Reviewed-by: Alina Buzachis Reviewed-by: Markus Bergholz (cherry picked from commit 56e6e69f0fdfb37c04f69bce0c1659a73c4184da) --- ..._ec2-assume-arn-role-when-listing-regions.yml | 5 +++++ plugins/inventory/aws_ec2.py | 16 +++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/619-inventory-aws_ec2-assume-arn-role-when-listing-regions.yml diff --git a/changelogs/fragments/619-inventory-aws_ec2-assume-arn-role-when-listing-regions.yml b/changelogs/fragments/619-inventory-aws_ec2-assume-arn-role-when-listing-regions.yml new file mode 100644 index 00000000000..0d055c6f525 --- /dev/null +++ b/changelogs/fragments/619-inventory-aws_ec2-assume-arn-role-when-listing-regions.yml @@ -0,0 +1,5 @@ +bugfixes: +- >- + aws_ec2 inventory - use the iam_role_arn configuration parameter to assume the role before trying to call DescribeRegions + if the regions configuration is not set and AWS credentials provided without enough privilege to perform the DescribeRegions action. + (https://github.com/ansible-collections/amazon.aws/issues/566). diff --git a/plugins/inventory/aws_ec2.py b/plugins/inventory/aws_ec2.py index 1f787d9d98c..fa6a881ec40 100644 --- a/plugins/inventory/aws_ec2.py +++ b/plugins/inventory/aws_ec2.py @@ -243,6 +243,7 @@ from ansible_collections.amazon.aws.plugins.module_utils.ec2 import ansible_dict_to_boto3_filter_list from ansible_collections.amazon.aws.plugins.module_utils.ec2 import boto3_tag_list_to_ansible_dict from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict +from ansible_collections.amazon.aws.plugins.module_utils.core import is_boto3_error_code # The mappings give an array of keys to get from the filter name to the value @@ -424,7 +425,7 @@ def _get_connection(self, credentials, region='us-east-1'): raise AnsibleError("Insufficient credentials found: %s" % to_native(e)) return connection - def _boto3_assume_role(self, credentials, region): + def _boto3_assume_role(self, credentials, region=None): """ Assume an IAM role passed by iam_role_arn parameter @@ -463,6 +464,19 @@ def _boto3_conn(self, regions): except botocore.exceptions.NoRegionError: # above seems to fail depending on boto3 version, ignore and lets try something else pass + except is_boto3_error_code('UnauthorizedOperation') as e: # pylint: disable=duplicate-except + if iam_role_arn is not None: + try: + # Describe regions assuming arn role + assumed_credentials = self._boto3_assume_role(credentials) + client = self._get_connection(assumed_credentials) + resp = client.describe_regions() + regions = [x['RegionName'] for x in resp.get('Regions', [])] + except botocore.exceptions.NoRegionError: + # above seems to fail depending on boto3 version, ignore and lets try something else + pass + else: + raise AnsibleError("Unauthorized operation: %s" % to_native(e)) # fallback to local list hardcoded in boto3 if still no regions if not regions: