Ansible unable to fetch/use temporary credentials when using metadata (IMDSv2) in Amazon linux 2023

Purpose - Starting ec2 instance via ansible playbook using “amazon.aws.ec2” module with “delegate_to: localhost”

Error -
**
File “/home/user/.local/lib/python3.9/site-packages/boto/auth.py”, line 1018, in get_auth_handler raise boto.exception.NoAuthHandlerFound( failed: [ansibleHost-ip-address → localhost] (item… instance details here … }, “msg”: “No handler was ready to authenticate. 1 handlers were checked. [‘HmacAuthV4Hanler’] Check your credentials” }
**

The same works fine when IMDSv2 is disabled and IMDSv1 is put to use

Context - IMDSV2 has additional token security while fetching AWS temporary credentials, while IMDSv1 does not.

The problem is faced only when trying to perform AWS operations (starting ec2 in our case) from within playbook, same operation works fine when performed directly via AWS cli on the same server(ec2)

Ansible version -
ansible [core 2.15.3]
python version = 3.9.16

Server - Managed server/node is Amazon linux 2023

Note - The IMDSv2 configs are also correctly in place like endpoint access is enabled, hop-limit is set to 2

Need some help to expedite this issue to make use of the IMDSv2 from inside the playbook

This is expected behaviour. Please migrate to the ec2_instance module, which should support credentials from IMDSv2.
Note: While ec2_instance is not a drop-in replacement for ec2, it should support all of the underlying ec2 functionality.

The ec2 module was deprecated and removed in favour of the ec2_instance module which is based upon the “boto3” SDK, and should (assuming you’re using a recent version) support IMDSv2. The ec2 module was removed from the amazon.aws collection in release 4.0.0 of amazon.aws (2022), primarily because it was based upon the original “boto” SDK which hasn’t seen a release since 2018, predating IMDSv2.

The availability of the ec2 module would seem to imply you’re using an old and unsupported version of the amazon.aws collection, and I would strongly recommend upgrading.

Latest available versions
amazon.aws: 8.0.1
community.aws: 8.0.0

1 Like

Yes Correct, the catch in my case was that I somehow had 2 versions of amazon.aws collection showing up
One was version 1.x another was version 6.x

and ansible was using the first in the list i.e. 1.x

Had to update ~/.ansible.cfg file with
“[defaults]
collections_path=/path/to/version6.x/ansible_collections”
and then additionally use the amazon.aws.ec2_instance module

Thankyou for the help, your answer guided me to get hold of my broken piece.

Just FYI, 6.x is in the final stages of its lifecycle and will likely only receive security updates at this point. It’s worth upgrading to 8.x if you can.

Definitely will give it a thought after reviewing our plans. Appreciate the Help!