Ansible AWS 使用带有 ansible 剧本的 role_arn 未授予权限
[英]Ansible AWS using a role_arn with ansible playbook not giving permissions
问题描述
我已经在这个问题上停留了好几天,而且我似乎找不到任何与我一直遇到的完全相同的问题。 目前,我的凭据和配置设置如下:
~/.aws/凭据
[default]
aws_access_key_id = ###########
aws_secret_access_key = ######################
[dev]
role_arn=arn:aws:iam::############:role/###AccessRole
source_profile=default
~/.aws/配置
[default]
region = us-east-1
output = json
[profile dev]
role_arn = arn:aws:iam::############:role/###AccessRole
source_profile = default
当我运行 aws cli 命令时,一切运行良好。 如果我最终使用具有管理员权限的 AWS 凭据,它可以工作 - 但我无法在我们的系统中执行此操作。
目前,默认角色无法有意访问任何内容,它承担了开发角色。 但是,我无法让 Ansible 识别dev 。 我对它进行了全部配置,它可以在 Terraform、AWS CLI、Git 上运行。目前,这是我使用ansible-playbook时的输入和错误。 我已经删除了某些信息/删除了下面的 output。 如您所见,我正在使用 ec2.ini 和 ec2.py。
有没有人遇到过这个? 这与将 role_arn 与 Ansible 一起使用有关吗? 我已经尝试了很多方法来让它工作,下面的 state 是当前的 state。
提前致谢!
AWS_PROFILE=dev ansible-playbook -i ./inventory/ec2.py playbook.yml --private-key ###.pem
----
[WARNING]: * Failed to parse {home}/Ansible/Bastion/inventory/ec2.py with script
plugin: Inventory script ({home}/Ansible/Bastion/inventory/ec2.py) had an
execution error: Traceback (most recent call last): File
"{home}/Ansible/Bastion/inventory/ec2.py", line 1712, in <module>
Ec2Inventory() File "{home}Ansible/Bastion/inventory/ec2.py", line 285, in
__init__ self.do_api_calls_update_cache() File
"{home}/Ansible/Bastion/inventory/ec2.py", line 552, in do_api_calls_update_cache
self.get_instances_by_region(region) File
"{home}/Ansible/Bastion/inventory/ec2.py", line 608, in get_instances_by_region
conn = self.connect(region) File "{home}/Ansible/Bastion/inventory/ec2.py", line
570, in connect conn = self.connect_to_aws(ec2, region) File
"{home}/Ansible/Bastion/inventory/ec2.py", line 591, in connect_to_aws
sts_conn = sts.connect_to_region(region, **connect_args) File "{home}.local/lib/python2.7/site-
packages/boto/sts/__init__.py", line 51, in connect_to_region **kw_params) File
"{home}/.local/lib/python2.7/site-packages/boto/regioninfo.py", line 220, in connect return
region.connect(**kw_params) File "{home}/.local/lib/python2.7/site-packages/boto/regioninfo.py",
line 290, in connect return self.connection_cls(region=self, **kw_params) File
"{home}/.local/lib/python2.7/site-packages/boto/sts/connection.py", line 107, in __init__
provider=provider) File "{home}/.local/lib/python2.7/site-packages/boto/connection.py", line
1100, in __init__ provider=provider) File "{home}/.local/lib/python2.7/site-
packages/boto/connection.py", line 555, in __init__ profile_name) File
"{home}/.local/lib/python2.7/site-packages/boto/provider.py", line 201, in __init__
self.get_credentials(access_key, secret_key, security_token, profile_name) File
"{home}/.local/lib/python2.7/site-packages/boto/provider.py", line 297, in get_credentials
profile_name) boto.provider.ProfileNotFoundError: Profile "dev" not found!
[WARNING]: * Failed to parse {home}/Ansible/Bastion/inventory/ec2.py with ini
plugin: {home}/Ansible/Bastion/inventory/ec2.py:3: Error parsing host definition
''''': No closing quotation
[WARNING]: Unable to parse {home}/Ansible/Bastion/inventory/ec2.py as an inventory
source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does
not match 'all'
PLAY [Create kp and access instance] *********************************************************
TASK [Setup variables] *************************************************************************************
ok: [localhost]
TASK [Backup previous key] *************************************************************************
changed: [localhost]
TASK [generate SSH key]
*******************************************************************
changed: [localhost]
TASK [Start and register instance] *****************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Profile given for AWS was not found. Please fix and retry."}
PLAY RECAP *************************************************************************************************
localhost : ok=3 changed=2 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
编辑:
Name Value Type Location
---- ----- ---- --------
profile dev manual --profile
access_key ****************#### assume-role
secret_key ****************#### assume-role
region <not set> None None
{
"UserId": "<ACCESS_KEY?>:botocore-session-##########",
"Account": "############",
"Arn": "arn:aws:sts::############:assumed-role/###AccessRole/botocore-session-##########"
}
1 个解决方案
解决方案1
0 2022-02-16 22:21:45
使用 ansible 并使用 aws 配置文件或 arn 获取 AWS SSM 参数
[英]Fetch AWS SSM Parameter using ansible and using aws profile or arn
AWS CDK Dynamodb 表构造创建表,但未定义属性“role_arn”
[英]AWS CDK Dynamodb table construct creates table but attribute 'role_arn' is undefined
如何在ansible playbook中动态使用AWS实例的IP地址,而不使用ansible playbook将其保存在外部文件中
[英]how to use AWS instance's IP address dynamically in an ansible playbook without saving it in an external file using ansible playbook
如何在 ansible-playbook 中查找 amazon.aws.aws_secret?
[英]How to lookup an amazon.aws.aws_secret in ansible-playbook?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
使用ansible剧本启动停止的AWS实例
无法使用Ansible剧本删除AWS VPC
使用 ansible 并使用 aws 配置文件或 arn 获取 AWS SSM 参数
AWS CDK Dynamodb 表构造创建表,但未定义属性“role_arn”
访问不同于创建角色的文件夹中的role_arn
如何在AWS Lambda函数中运行Ansible Playbook
使用 Ansible playbook 启动和停止 AWS RDS
如何在ansible playbook中动态使用AWS实例的IP地址,而不使用ansible playbook将其保存在外部文件中
如何在 ansible-playbook 中查找 amazon.aws.aws_secret?
剧本(Ansible)语法错误
相关标签