Hi all,
I have a play book that just simply go and add instances to my ELB but
apparently the user's keys specified were not authorized to do the
"DescribeLoadBalancers". This user has a policy attached to it that allows
to have full access to this ELB.
Task:
- name: Instance re-register
local_action: ec2_elb ec2_elbs=steventest region=us-east-1
instance_id="{{ ansible_ec2_instance_id }}" state=present wait=yes
wait_timeout=5 aws_access_key=A..... aws_secret_key=....sc
enable_availability_zone=no
I got this error message.
<Message>User: arn:aws:iam::123456789:user/elb_dedicated is not
authorized to perform: elasticloadbalancing:DescribeLoadBalancers</Message>
>From AWS
doc
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/UsingIAM.html
Elastic Load Balancing does not support setting permissions for a user or a
group to use the following APIs with a specific load balancer:
-
DescribeInstanceHealth
-
DescribeLoadBalancerAttributes
-
DescribeLoadBalancerPolicyTypes
-
DescribeLoadBalancers
-
DescribeLoadBalancerPolicies
-
DescribeTags
You can continue to use the Describe APIs in the Action element of the
policy statement to grant access to all ELB load balancers. However, if you
use the Describe APIs in the Action element and also specify a load
balancer ARN in the Resource element, the API call will fail.
So ec2_elb will work when i do not specify the specific ELB in the
resource. This is the way AWS implemented access controls for ELBs and
Ansible is not at fault here.
Policy attached to AWS user elb_dedicated and currently, I allowed all
actions for this account to this steventest ELB.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "steventestelb",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
],
"Resource": [
"arn:aws:elasticloadbalancing:us-east-1:123456789:loadbalancer/steventest"
]
}
]
}
So I removed all "Resource" and the final policy is this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "steventestelb",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
]
}
]
}
With this policy, I still got the same error.
failed: [ec2-54-80-.....compute-1.amazonaws.com -> 127.0.0.1] => {"failed":
true, "parsed": false}
invalid output was: Traceback (most recent call last):
File
"/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb",
line 1874, in <module>
main()
File
"/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb",
line 317, in main
region=region, **aws_connect_params)
File
"/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb",
line 123, in __init__
self.lbs = self._get_instance_lbs(ec2_elbs)
File
"/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb",
line 264, in _get_instance_lbs
elbs = elb.get_all_load_balancers()
File "/usr/local/lib/python2.7/dist-packages/boto/ec2/elb/__init__.py",
line 135, in get_all_load_balancers
[('member', LoadBalancer)])
File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line
1166, in get_list
raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 Forbidden
<ErrorResponse
xmlns="http://elasticloadbalancing.amazonaws.com/doc/2012-06-01/";>
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>User: arn:aws:iam::123456789:user/elb_dedicated is not
authorized to perform: elasticloadbalancing:DescribeLoadBalancers</Message>
</Error>
<RequestId>04bd7b0d-3860-11e4-8ac6-5fafa616e3b3</RequestId>
</ErrorResponse>
---
Please share with me how you've used ec2_elb to work with ELB in AWS. This
should not be a problem for me.
Steven.
Note: I have boto (2.32.1) on a Linux Mint 17.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/fa470ed7-41d4-4b3a-99a2-bc22ded0ef32%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
