[ansible-project] Re: Info: ec2_lb with access_key/secret_key specified but could not perform elasticloadbalancing:DescribeLoadBalancers

[Steven Truong]

A new interesting development.  I remove aws_access_key and aws_secret_key 
from the task ec2_elb and create ~/.boto and tried again.  This type things 
work.

[Credentials]
aws_access_key_id=...
aws_secret_access_key=...

Hmmm....




On Tuesday, September 9, 2014 1:37:11 PM UTC-7, Steven Truong wrote:
>
> Hi all,
>
> I have a play book that just simply go and add instances to my ELB but 
> apparently the user's keys specified were not authorized to do the 
> "DescribeLoadBalancers".  This user has a policy attached to it that allows 
> to have full access to this ELB.
>
> Task:
>   
>  - name: Instance re-register
>     local_action: ec2_elb ec2_elbs=steventest region=us-east-1 
> instance_id="{{ ansible_ec2_instance_id }}" state=present wait=yes 
> wait_timeout=5 aws_access_key=A..... aws_secret_key=....sc 
> enable_availability_zone=no
>
>
> I got this error message.
>   <Message>User: arn:aws:iam::123456789:user/elb_dedicated is not 
> authorized to perform: elasticloadbalancing:DescribeLoadBalancers</Message>
>
> From AWS doc 
> http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/UsingIAM.html
>
> Elastic Load Balancing does not support setting permissions for a user or 
> a group to use the following APIs with a specific load balancer: 
>
>    - 
>    
>    DescribeInstanceHealth
>    - 
>    
>    DescribeLoadBalancerAttributes
>    - 
>    
>    DescribeLoadBalancerPolicyTypes
>    - 
>    
>    DescribeLoadBalancers
>    - 
>    
>    DescribeLoadBalancerPolicies
>    - 
>    
>    DescribeTags
>    
> You can continue to use the Describe APIs in the Action element of the 
> policy statement to grant access to all ELB load balancers. However, if you 
> use the Describe APIs in the Action element and also specify a load 
> balancer ARN in the Resource element, the API call will fail.
>
> So ec2_elb will work when i do not specify the specific ELB in the 
> resource.  This is the way AWS implemented access controls for ELBs and 
> Ansible is not at fault here.
>
> Policy attached to AWS user elb_dedicated and currently, I allowed all 
> actions for this account to this steventest ELB.
> {
>     "Version": "2012-10-17",
>     "Statement": [
>         {
>             "Sid": "steventestelb",
>             "Effect": "Allow",
>             "Action": [
>                 "elasticloadbalancing:*"
>             ],
>             "Resource": [
>                 
> "arn:aws:elasticloadbalancing:us-east-1:123456789:loadbalancer/steventest"
>             ]
>         }
>     ]
> }
>
> So I removed all "Resource" and the final policy is this:
> {
>   "Version": "2012-10-17",
>   "Statement": [
>     {
>       "Sid": "steventestelb",
>       "Effect": "Allow",
>       "Action": [
>         "elasticloadbalancing:*"
>       ]
>     }
>   ]
> }
>
> With this policy, I still got the same error.
>
> failed: [ec2-54-80-.....compute-1.amazonaws.com -> 127.0.0.1] => 
> {"failed": true, "parsed": false}
> invalid output was: Traceback (most recent call last):
>   File 
> "/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb",
>  
> line 1874, in <module>
>     main()
>   File 
> "/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb",
>  
> line 317, in main
>     region=region, **aws_connect_params)
>   File 
> "/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb",
>  
> line 123, in __init__
>     self.lbs = self._get_instance_lbs(ec2_elbs)
>   File 
> "/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb",
>  
> line 264, in _get_instance_lbs
>     elbs = elb.get_all_load_balancers()
>   File "/usr/local/lib/python2.7/dist-packages/boto/ec2/elb/__init__.py", 
> line 135, in get_all_load_balancers
>     [('member', LoadBalancer)])
>   File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 
> 1166, in get_list
>     raise self.ResponseError(response.status, response.reason, body)
> boto.exception.BotoServerError: BotoServerError: 403 Forbidden
> <ErrorResponse xmlns="
> http://elasticloadbalancing.amazonaws.com/doc/2012-06-01/";>
>   <Error>
>     <Type>Sender</Type>
>     <Code>AccessDenied</Code>
>     <Message>User: arn:aws:iam::123456789:user/elb_dedicated is not 
> authorized to perform: elasticloadbalancing:DescribeLoadBalancers</Message>
>   </Error>
>   <RequestId>04bd7b0d-3860-11e4-8ac6-5fafa616e3b3</RequestId>
> </ErrorResponse>
>
>
> ---
>
> Please share with me how you've used ec2_elb to work with ELB in AWS. 
>  This should not be a problem for me.
> Steven.
>
> Note: I have boto (2.32.1) on a Linux Mint 17.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a2023c20-0f20-4f00-a803-216424ea6825%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.