Thanks Benno, I install Ansible and Boto in a virtualenv using pip, and then add the following to group_vars/localhosts.yml, which is enough to ensure that the cloudformation, s3, and ec2 modules run on the localhost. Do I need to also install Boto on the remote?
# Do not use the system installed Python when running locally ansible_python_interpreter: python The exact set of packages is: Jinja2==2.7.3 MarkupSafe==0.23 PyYAML==3.11 ansible==1.9.1 boto==2.38.0 ecdsa==0.13 paramiko==1.15.2 pycrypto==2.6.1 six==1.9.0 wsgiref==0.1.2 regards Andrew On Friday, 19 June 2015 15:44:43 UTC+10, benno joy wrote: > > Hi Andrew, > > instance profiles do work without any issues, from the error msg: Failed to > connect to S3: 'module' object has no attribute 'connect_to_region' > > seems like boto is not installed properly, how did you install boto ? can > you please try reinstalling boto and check. > > - Benno > > > On Fri, Jun 19, 2015 at 9:51 AM, Andrew Burrow < > [email protected] <javascript:>> wrote: > >> I am unable to make use of IAM roles in my Ansible playbooks. >> Specifically, I have authorised an EC2 instance to get from an S3 bucket, >> but I cannot work out how to make use of this authorisation from within >> Ansible. >> >> >> *The question* >> >> How do I write Ansible task(s) that satisfies all the following : >> >> 1. Runs on an EC2 instance >> 2. Uses the IAM role defined on the EC2 instance to obtain >> authorisation to access an S3 bucket >> 3. Gets a file from the S3 bucket >> >> >> *A work around* >> >> I can get the EC2 instance to download from S3, only by passing in my >> credentials as follows: >> >> - name: Download the part archive from S3 >> s3: >> aws_access_key: "{{ lookup('env','aws_key') }}" >> aws_secret_key: "{{ lookup('env','aws_secret') }}" >> region: "{{ aws_packages_region }}" >> bucket: "{{ aws_packages_bucket }}" >> object: "/JI79IML/my_part_X86_64_c7.15.tar.gz" >> dest: "/data/parts/JI79IML/my_part_X86_64_c7.15.tar.gz" >> mode: get >> overwrite: no >> >> However, I would rather not send my AWS credentials to the instance. >> Instead I have defined a role with the appropriate permissions to get files >> from the S3 bucket. >> >> >> *What I've tried* >> >> The top answer in the stack overflow question linked below, suggests that >> it is simple matter of leaving the secret access key parameters out, and >> letting the Boto library take care of assuming the role. >> >> - http://stackoverflow.com/questions/28997757/ansible-and-s3-module >> >> However, when I try this with Ansible 1.8.4 and Boto 2.36.0 I get >> >> msg: No handler was ready to authenticate. 1 handlers were checked. [ >> 'HmacAuthV1Handler'] Check your credentials >> >> and with Ansible 1.9.1 and Boto 2.38.0 I get: >> >> msg: Failed to connect to S3: 'module' object has no attribute >> 'connect_to_region' >> >> >> *How I've confirmed the IAM role* >> >> To confirm that the IAM role is *sufficient*, I installed awscli on the >> EC2 instance and performed the download directly. First, I assumed the role >> >> aws sts assume-role --role-arn "${ROLE_ARN}" --role-session-name >> "GettingMyPart" >> >> which returns an absolutely baffling error message that the user with the >> assumed role cannot assume the role?!? But seems to do the trick, because >> I can then download the part >> >> aws s3api get-object --bucket "${BUCKET_NAME}" --key JI79IML/ >> my_part_X86_64_c7.15.tar.gz my_part_X86_64_c7.15.tar.gz >> >> To confirm that the IAM role is *required*, I created another instance >> that does not enjoy a role and installed awscli on this second EC2 >> instance and followed the above steps. In each case, I got the message >> "Unable to locate credentials" as expected >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/550cc437-c0b2-4999-8710-cf87e28f45e6%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/550cc437-c0b2-4999-8710-cf87e28f45e6%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a12cc534-892a-40a0-8ae5-67aec6e36f60%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
