I am starting to use ansible for my AWS environment and have run into a few snags with the STS Module. I am relatively new to ansible, so it may just be user error :) Apologies if these are
Issue #1: I have set thefollowing variables: sts_role_arn: "arn:aws:iam::1234567890:role/My_AccountAccessRole" sts_role_session_name: "ansible" aws_access_key: ###key#### aws_secret_key: ###key### However it seems to be trying to run the sts_assume_role as the instance, rather than the user, as the error shows: <Message>User: arn:aws:sts::9876543210:assumed-role/My_EC2InstanceRole/i-00000000000000 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234567890:role/My_AccountAccessRole</Message> If I run any commands using the aws cli, they work correctly. IE if I run: aws ec2 describe-instances --profile MyProfile | egrep "SubnetId|AvailabilityZone|test", it returns the details. The profile contains a line of "role_arn = arn:aws:iam::1234567890:role/My_AccountAccessRole, but these are running as the user, rather than the instance. Issue #2: It doesnt seem to read the ~/.aws/config file for a profile. If I set 'profile: MyProfile' and this profile exists in ~/.aws/config, it till returns a 'nboto.provider.ProfileNotFoundError: Profile \"MyProfile\" not found!\n' error. As stated above, if i use the cli with the --profile flag, it works fine.... Ansible was installed using git clone, make rpm, rpm -e. Details: [briano@ip-XXX-xx-XXX-xx tasks]$ ansible --version ansible 2.3.0.0 config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides python version = 2.7.12 (default, Sep 1 2016, 22:14:00) [GCC 4.8.3 20140911 (Red Hat 4.8.3-9)] [briano@ip-XXX-xx-XXX-xx tasks]$ cat /etc/os-release NAME="Amazon Linux AMI" VERSION="2017.03" ID="amzn" ID_LIKE="rhel fedora" VERSION_ID="2017.03" PRETTY_NAME="Amazon Linux AMI 2017.03" ANSI_COLOR="0;33" CPE_NAME="cpe:/o:amazon:linux:2017.03:ga" HOME_URL="http://aws.amazon.com/amazon-linux-ami/"; Thanks for any help, and if i am in the wrong place, please let me know! B -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7d82eba4-95dd-4f4d-9df2-108e78bc2797%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
