Hi, That issue is now fixed by re-doing that part of the code but introduced with another error: S3 error: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. This is because the S3 bucket is encrypted. I tried to create a temporary unencrypted bucket and it works fine. I found a document and it says "to use KMS with S3 encryption you have to set the signature version to v4 explicitly"
https://forums.aws.amazon.com/thread.jspa?threadID=165286 https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version I am not sure where this needs to be updated, as I am running this code from Cloud9 environment. I guess it is Python-Boto SDK. On Tuesday, January 8, 2019 at 12:41:40 PM UTC, Dick Visser wrote: > > I suspect the issue is introduced by the copy/pasting. > Can you pipe it directly to yamllint and tell us what that says? > > DIck > > On Tue, 8 Jan 2019 at 11:06, Kishore Ponniah <[email protected] > <javascript:>> wrote: > > > > Please find my code below: I checked the code using YAML validator and > looks like it is valid. But still complaining about Line 12 column 6. > > > > Any help please? > > > > --- > > # This playbook builds IAM infrastructure in all configured accounts > > - name: Install/Update RXGT Identity account CF templates > > hosts: infrastructure > > tasks: > > > > - name: Install/Update RXGT PS cross account CF templates > > hosts: infrastructure > > tasks: > > # Support using STS temporary creds (optional) > > # See readme.md > > - name: get sts session token > > sts_session_token: > > duration_seconds: "{{ sts_session_duration | default(3600) }}" > > # Support role policy with mandatory MFA > > mfa_serial_number: "{{ sts_mfa_serial_number | default(omit) }}" > > mfa_token: "{{ sts_mfa_token | default(omit) }}" > > register: sts_session_token > > when: with_sts > > tags: > > rxgt-ps-identity-stack-deploy > > > > - name: retrieve sts credentials > > set_fact: > > sts_access_key: "{{ sts_session_token.sts_creds.access_key }}" > > sts_secret_key: "{{ sts_session_token.sts_creds.secret_key }}" > > sts_session_token: "{{ sts_session_token.sts_creds.session_token }}" > > when: with_sts > > tags: > > rxgt-ps-identity-stack-deploy > > > > - name: debug role arns > > debug: > > msg: "Assuming role: {{ account_config.sts_role_arn }}" > > verbosity: 1 > > loop: "{{ rxgt_identity_account['deploy_accounts']|map('extract', > rxgt_identity_account['account_config'])|list }}" > > loop_control: > > loop_var: account_config > > label: "{{ account_config.sts_role_arn }}" > > tags: > > rxgt-ps-identity-stack-deploy > > > > - name: assume cross account roles > > sts_assume_role: > > role_arn: "{{ account_config.sts_role_arn }}" > > role_session_name: "ansibledeploy" > > duration_seconds: "{{ sts_session_duration | default(3600) }}" > > # Use STS temporary creds or fallback to aws cli/boto creds - see > readme.md > > aws_access_key: "{{ sts_access_key | default(omit) }}" > > aws_secret_key: "{{ sts_secret_key | default(omit) }}" > > security_token: "{{ sts_session_token | default(omit) }}" > > # Support role policy with mandatory MFA > > mfa_serial_number: "{{ sts_mfa_serial_number | default(omit) }}" > > mfa_token: "{{ sts_mfa_token | default(omit) }}" > > loop: "{{ rxgt_identity_account['deploy_accounts']|map('extract', > rxgt_identity_account['account_config'])|list }}" > > loop_control: > > loop_var: account_config > > label: "{{ account_config.sts_role_arn }}" > > # > https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html#using-register-with-a-loop > > > register: assumed_roles_with_account_config > > tags: > > rxgt-ps-identity-stack-deploy > > > > - name: create rxgt-ps-cross-account-iam-atlas-developer-roles changeset > > cloudformation: > > stack_name: "rxgt-ps-cross-account-iam-atlas-developer-roles" > > state: present > > region: "{{ account_config.1 }}" > > aws_access_key: "{{ account_config.0.sts_creds.access_key }}" > > aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}" > > security_token: "{{ account_config.0.sts_creds.session_token }}" > > create_changeset: true > > changeset_name: "{{ cf_changeset_name }}" > > # Don't pass the cd-deploy-role to CF due to [possible privilege > escalation]( > https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html) > > > > # for anyone able to perform stack updates. > > # role_arn: "{{ account_config.0.account_config.pass_role_arn }}" > > template_url: " > https://s3.console.aws.amazon.com/s3/buckets/xxxxxxxxxxxxxxxx/xxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxxx/rxgt-ps-cross-account-iam-atlas-developer-roles.yaml" > > > > template_parameters: "{{ > account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].params > > }}" > > termination_protection: no > > tags: "{{ global_tags | > combine(account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].override_tags, > > recursive=True) }}" > > # Convert to a list of dicts duplicated per region. See > https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#subelements-filter > > > loop: "{{ > assumed_roles_with_account_config.results|subelements('account_config.regions', > > skip_missing=True) }}" > > loop_control: > > loop_var: account_config > > label: "{{ account_config.0.account_config.account_alias }}:{{ > account_config.1 }}" > > tags: > > rxgt-ps-identity-stack-deploy > > > > - name: create rxgt-ps-cross-account-iam-atlas-developer-roles stack > > cloudformation: > > stack_name: "rxgt-ps-cross-account-iam-atlas-developer-roles" > > state: present > > region: "{{ account_config.1 }}" > > aws_access_key: "{{ account_config.0.sts_creds.access_key }}" > > aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}" > > security_token: "{{ account_config.0.sts_creds.session_token }}" > > create_changeset: false > > changeset_name: "{{ cf_changeset_name }}" > > # Don't pass the cd-deploy-role to CF due to [possible privilege > escalation]( > https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html) > > > > # for anyone able to perform stack updates. > > # role_arn: "{{ account_config.0.account_config.pass_role_arn }}" > > template_url: " > https://s3.console.aws.amazon.com/s3/buckets/xxxxxxxxxxxxxxxx/xxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxxx/rxgt-ps-cross-account-iam-atlas-developer-roles.yaml" > > > > template_parameters: "{{ > account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].params > > }}" > > termination_protection: no > > tags: "{{ global_tags | > combine(account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].override_tags, > > recursive=True) }}" > > # Convert to a list of dicts duplicated per region. See > https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#subelements-filter > > > loop: "{{ > assumed_roles_with_account_config.results|subelements('account_config.regions', > > skip_missing=True) }}" > > loop_control: > > loop_var: account_config > > label: "{{ account_config.0.account_config.account_alias }}:{{ > account_config.1 }}" > > when: with_stack_deploy > > tags: > > rxgt-ps-identity-stack-deploy > > > > On Tuesday, January 8, 2019 at 1:37:43 AM UTC, goforawalktwice wrote: > >> > >> ooops ... the error was due to me copy/paste formatting - the second > '-name' got indented too far - fixing that indentation makes it valid YAML > according to that site > >> > >> > >> On Tuesday, January 8, 2019 at 2:04:24 PM UTC+13, Karl Auer wrote: > >>> > >>> What is the problem that it reports on line 22? > >>> > >>> When posting code, please post in a fixed-width font if you can. Makes > it easier to check indentation. > >>> > >>> Regards, K. > >>> > >>> > >>> On Tue, Jan 8, 2019 at 11:58 AM goforawalktwice <[email protected]> > wrote: > >>>> > >>>> hi, when I paste that YAML to > >>>> > >>>> https://jsonformatter.org/yaml-validator > >>>> > >>>> it reckons line 22 is a problem - the second -name entry. When I > remove from line 22 down it reckons it's valid YAML. > >>>> > >>>> Regards, Straff > >>>> > >>>> > >>>> > >>>> On Tuesday, January 8, 2019 at 5:34:25 AM UTC+13, Kishore Ponniah > wrote: > >>>>> > >>>>> Hi all, > >>>>> > >>>>> My cloudformation template has exceeded the template body limit more > than 51200 bytes and I am trying to upload to s3 and deploy using cross > account. I used template_url parameter in the playbook but giving an error. > Before adding template_url, I had template_body which was working fine. I > have only replaced template_body to template_url. > >>>>> > >>>>> Please find the playbook below: > >>>>> > >>>>> - name: create xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles > changeset > >>>>> cloudformation: > >>>>> stack_name: "xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles" > >>>>> state: present > >>>>> region: "{{ account_config.1 }}" > >>>>> aws_access_key: "{{ account_config.0.sts_creds.access_key > }}" > >>>>> aws_secret_key: "{{ account_config.0.sts_creds.secret_key > }}" > >>>>> security_token: "{{ account_config.0.sts_creds.session_token > }}" > >>>>> create_changeset: true > >>>>> changeset_name: "{{ cf_changeset_name }}" > >>>>> template_url: " > https://s3.console.aws.amazon.com/s3/buckets/xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxx/cloudformation/xxxxxxx/xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles.yaml" > > > >>>>> template_parameters: "{{ > account_config.0.account_config.stacks[' > xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles'].params }}" > >>>>> termination_protection: no > >>>>> tags: "{{ global_tags | > combine(account_config.0.account_config.stacks[' > xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles'].override_tags, > recursive=True) }}" > >>>>> loop: "{{ > assumed_roles_with_account_config.results|subelements('account_config.regions', > > skip_missing=True) }}" > >>>>> loop_control: > >>>>> loop_var: account_config > >>>>> label: "{{ account_config.0.account_config.account_alias > }}:{{ account_config.1 }}" > >>>>> tags: > >>>>> rxgt-ps-identity-stack-deploy > >>>>> > >>>>> - name: create xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles > stack > >>>>> cloudformation: > >>>>> stack_name: "xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles" > >>>>> state: present > >>>>> region: "{{ account_config.1 }}" > >>>>> aws_access_key: "{{ account_config.0.sts_creds.access_key > }}" > >>>>> aws_secret_key: "{{ account_config.0.sts_creds.secret_key > }}" > >>>>> security_token: "{{ account_config.0.sts_creds.session_token > }}" > >>>>> create_changeset: false > >>>>> changeset_name: "{{ cf_changeset_name }}" > >>>>> template_url: " > https://s3.console.aws.amazon.com/s3/buckets/xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxx/cloudformation/xxxxxxx/xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles.yaml" > > > >>>>> template_parameters: "{{ > account_config.0.account_config.stacks['xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles'].params > > }}" > >>>>> termination_protection: no > >>>>> tags: "{{ global_tags | > combine(account_config.0.account_config.stacks['xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles'].override_tags, > > recursive=True) }}" > >>>>> # Convert to a list of dicts duplicated per region. See > https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#subelements-filter > > >>>>> loop: "{{ > assumed_roles_with_account_config.results|subelements('account_config.regions', > > skip_missing=True) }}" > >>>>> loop_control: > >>>>> loop_var: account_config > >>>>> label: "{{ account_config.0.account_config.account_alias > }}:{{ account_config.1 }}" > >>>>> when: with_stack_deploy > >>>>> tags: > >>>>> rxgt-ps-identity-stack-deploy > >>>> > >>>> -- > >>>> You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >>>> To post to this group, send email to [email protected]. > >>>> To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/c8fce4d7-b3f2-4495-9604-d554187f7ea0%40googlegroups.com. > > > >>>> For more options, visit https://groups.google.com/d/optout. > >>> > >>> > >>> > >>> -- > >>> Karl Auer > >>> > >>> Email : [email protected] > >>> Website: http://2pisoftware.com > >>> > >>> GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816 > >>> Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA > > > > -- > > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > To post to this group, send email to [email protected] > <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/28a0aea4-ce8c-4d6a-bda8-e33824808a19%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Dick Visser > Trust & Identity Service Operations Manager > GÉANT > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a1f163df-0150-4fbf-9c1a-28d2c032769b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
