Hi Andrew, instance profiles do work without any issues, from the error msg: Failed to connect to S3: 'module' object has no attribute 'connect_to_region'
seems like boto is not installed properly, how did you install boto ? can you please try reinstalling boto and check. - Benno On Fri, Jun 19, 2015 at 9:51 AM, Andrew Burrow < [email protected]> wrote: > I am unable to make use of IAM roles in my Ansible playbooks. > Specifically, I have authorised an EC2 instance to get from an S3 bucket, > but I cannot work out how to make use of this authorisation from within > Ansible. > > > *The question* > > How do I write Ansible task(s) that satisfies all the following : > > 1. Runs on an EC2 instance > 2. Uses the IAM role defined on the EC2 instance to obtain > authorisation to access an S3 bucket > 3. Gets a file from the S3 bucket > > > *A work around* > > I can get the EC2 instance to download from S3, only by passing in my > credentials as follows: > > - name: Download the part archive from S3 > s3: > aws_access_key: "{{ lookup('env','aws_key') }}" > aws_secret_key: "{{ lookup('env','aws_secret') }}" > region: "{{ aws_packages_region }}" > bucket: "{{ aws_packages_bucket }}" > object: "/JI79IML/my_part_X86_64_c7.15.tar.gz" > dest: "/data/parts/JI79IML/my_part_X86_64_c7.15.tar.gz" > mode: get > overwrite: no > > However, I would rather not send my AWS credentials to the instance. > Instead I have defined a role with the appropriate permissions to get files > from the S3 bucket. > > > *What I've tried* > > The top answer in the stack overflow question linked below, suggests that > it is simple matter of leaving the secret access key parameters out, and > letting the Boto library take care of assuming the role. > > - http://stackoverflow.com/questions/28997757/ansible-and-s3-module > > However, when I try this with Ansible 1.8.4 and Boto 2.36.0 I get > > msg: No handler was ready to authenticate. 1 handlers were checked. [ > 'HmacAuthV1Handler'] Check your credentials > > and with Ansible 1.9.1 and Boto 2.38.0 I get: > > msg: Failed to connect to S3: 'module' object has no attribute > 'connect_to_region' > > > *How I've confirmed the IAM role* > > To confirm that the IAM role is *sufficient*, I installed awscli on the > EC2 instance and performed the download directly. First, I assumed the role > > aws sts assume-role --role-arn "${ROLE_ARN}" --role-session-name > "GettingMyPart" > > which returns an absolutely baffling error message that the user with the > assumed role cannot assume the role?!? But seems to do the trick, because > I can then download the part > > aws s3api get-object --bucket "${BUCKET_NAME}" --key JI79IML/ > my_part_X86_64_c7.15.tar.gz my_part_X86_64_c7.15.tar.gz > > To confirm that the IAM role is *required*, I created another instance > that does not enjoy a role and installed awscli on this second EC2 > instance and followed the above steps. In each case, I got the message > "Unable to locate credentials" as expected > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/550cc437-c0b2-4999-8710-cf87e28f45e6%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/550cc437-c0b2-4999-8710-cf87e28f45e6%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAFUV_d5q0J_1Yk47wQvW5jrPbSWmwOa_y1FNvtbbBNXxMLZP1Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
