** A heads up: the following post is very detailed, and I eventually figured out the problem. So if you’re not up for wading through it, that’s cool.
I have an Ansible playbook that I’m trying to run. It creates an AWS VPC, so it requires AWS credentials. I’ve set up a couple of environment variables and run:
aws configure
So I have environment variables and the two files:
$ ll ~/.aws/
total 12
drwxrwxr-x 3 developer developer 4096 2018-08-03_16:59 cli/
-rw------- 1 developer developer 159 2018-08-06_11:26 config
-rw------- 1 developer developer 235 2018-08-06_11:22 credentials
$ cat ~/.aws/config
[default]
region = us-east-1
cli_timestamp_format = iso8601
[profile TestAdmin]
role_arn = arn:aws:iam::327329368532:role/Test-Admin
source_profile = default
output = json
region = us-east-1
$ cat ~/.aws/credentials
[default]
aws_secret_access_key = a9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aws_access_key_id = ARxxxxxxxxxxxxxx
[TestAdmin]
aws_secret_access_key = a9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aws_access_key_id = ARxxxxxxxxxxxxxx
$ env | grep AWS
AWS_PROFILE=TestAdmin
AWS_REGION=us-east-1
If I use awscli to fetch a list of VPCs, to create one, and to delete one, it works:
$ aws ec2 describe-vpcs
{
“Vpcs”: [
{
“VpcId”: “vpc-423ce7e8”,
“InstanceTenancy”: “default”,
“Tags”: [
{
“Value”: “vpcone”,
“Key”: “Name”
}
],
“CidrBlockAssociationSet”: [
{
“AssociationId”: “vpc-cidr-assoc-fcb91d90”,
“CidrBlock”: “10.100.0.0/16”,
“CidrBlockState”: {
“State”: “associated”
}
}
],
“State”: “available”,
“DhcpOptionsId”: “dopt-8d3787f4”,
“CidrBlock”: “10.100.0.0/16”,
“IsDefault”: false
}
]
}
$ aws ec2 create-vpc --cidr-block 10.103.0.0/16
{
“Vpc”: {
“VpcId”: “vpc-bd743cc7”,
“InstanceTenancy”: “default”,
“Tags”: ,
“CidrBlockAssociationSet”: [
{
“AssociationId”: “vpc-cidr-assoc-e058fe8c”,
“CidrBlock”: “10.103.0.0/16”,
“CidrBlockState”: {
“State”: “associated”
}
}
],
“Ipv6CidrBlockAssociationSet”: ,
“State”: “pending”,
“DhcpOptionsId”: “dopt-8d3787f4”,
“CidrBlock”: “10.103.0.0/16”,
“IsDefault”: false
}
}
$ aws ec2 delete-vpc --vpc-id vpc-bd885cc7
$
I have this in the output of ‘pip list’:
$ pip list | grep -E ‘(boto|ansible)’
ansible 2.6.2
ansible-lint 3.4.23
boto 2.48.0
boto3 1.7.50
botocore 1.10.50
I’m on Ubuntu and here are some apt packages:
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=“Ubuntu 16.04.5 LTS”
$ apt search ^ansible$
Sorting… Done
Full Text Search… Done
ansible/xenial,xenial,now 2.6.2-1ppa~xenial all [installed]
Ansible IT Automation
$ apt search ^python.?$
Sorting… Done
Full Text Search… Done
python/xenial-updates,now 2.7.12-1~16.04 amd64 [installed]
interactive high-level object-oriented language (default version)
python3/xenial,now 3.5.1-3 amd64 [installed]
interactive high-level object-oriented language (default python3 version)
Here’s ansible reporting its version:
$ ansible --version
ansible 2.6.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/usr/local/lib/python2.7/dist-packages/ara/plugins/modules’]
ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
executable location = /usr/local/bin/ansible
python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609]
All that should be good, I think. But when I run this playbook from the openshift-ansible project, I get a credentials error:
$ ansible-playbook -i /var/www/html/provision-openshift/inventory/provisioning-inventory.ini /var/www/html/openshift-ansible/playbooks/aws/openshift-cluster/prerequisites.yml -e @/var/www/html/provision-openshift/inventory/provisioning_vars.yml -vvv
ansible-playbook 2.6.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/usr/local/lib/python2.7/dist-packages/ara/plugins/modules’]
ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
executable location = /usr/local/bin/ansible-playbook
python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609]
Using /etc/ansible/ansible.cfg as config file
Parsed /var/www/html/provision-openshift/inventory/provisioning-inventory.ini inventory source with ini plugin
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match ‘all’
PLAYBOOK: prerequisites.yml ***************************************************************************************************************
3 plays in /var/www/html/openshift-ansible/playbooks/aws/openshift-cluster/prerequisites.yml
PLAY [localhost] **************************************************************************************************************************
META: ran handlers
TASK [openshift_aws : Create AWS VPC] *****************************************************************************************************
task path: /var/www/html/openshift-ansible/roles/openshift_aws/tasks/vpc.yml:2
Monday 06 August 2018 13:38:42 -0400 (0:00:00.082) 0:00:00.082 *********
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: developer
<127.0.0.1> EXEC /bin/sh -c ‘echo ~developer && sleep 0’
<127.0.0.1> EXEC /bin/sh -c ‘( umask 77 && mkdir -p “echo /home/developer/.ansible/tmp/ansible-tmp-1533577122.72-96497498776150” && echo ansible-tmp-1533577122.72-96497498776150=“echo /home/developer/.ansible/tmp/ansible-tmp-1533577122.72-96497498776150” ) && sleep 0’
Using module file /usr/local/lib/python2.7/dist-packages/ansible/modules/cloud/amazon/ec2_vpc_net.py
<127.0.0.1> PUT /home/developer/.ansible/tmp/ansible-local-8154HxVYj9/tmp9sLZEU TO /home/developer/.ansible/tmp/ansible-tmp-1533577122.72-96497498776150/ec2_vpc_net.py
<127.0.0.1> EXEC /bin/sh -c ‘chmod u+x /home/developer/.ansible/tmp/ansible-tmp-1533577122.72-96497498776150/ /home/developer/.ansible/tmp/ansible-tmp-1533577122.72-96497498776150/ec2_vpc_net.py && sleep 0’
<127.0.0.1> EXEC /bin/sh -c ‘sudo -H -S -n -u root /bin/sh -c ‘"’“‘echo BECOME-SUCCESS-bjpqfqmloapttckvdgwmfalyyeckoclc; /usr/bin/python /home/developer/.ansible/tmp/ansible-tmp-1533577122.72-96497498776150/ec2_vpc_net.py’”’"’ && sleep 0’
<127.0.0.1> EXEC /bin/sh -c ‘rm -f -r /home/developer/.ansible/tmp/ansible-tmp-1533577122.72-96497498776150/ > /dev/null 2>&1 && sleep 0’
The full traceback is:
Traceback (most recent call last):
File “/tmp/ansible_iBOj3w/ansible_module_ec2_vpc_net.py”, line 182, in vpc_exists
matching_vpcs = vpc.describe_vpcs(Filters=[{‘Name’: ‘tag:Name’, ‘Values’: [name]}, {‘Name’: ‘cidr-block’, ‘Values’: cidr_block}])[‘Vpcs’]
File “/tmp/ansible_iBOj3w/ansible_modlib.zip/ansible/module_utils/aws/core.py”, line 224, in deciding_wrapper
return unwrapped(*args, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/botocore/client.py”, line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File “/usr/local/lib/python2.7/dist-packages/botocore/client.py”, line 599, in _make_api_call
operation_model, request_dict)
File “/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py”, line 148, in make_request
return self._send_request(request_dict, operation_model)
File “/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py”, line 173, in _send_request
request = self.create_request(request_dict, operation_model)
File “/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py”, line 157, in create_request
operation_name=operation_model.name)
File “/usr/local/lib/python2.7/dist-packages/botocore/hooks.py”, line 227, in emit
return self._emit(event_name, kwargs)
File “/usr/local/lib/python2.7/dist-packages/botocore/hooks.py”, line 210, in _emit
response = handler(**kwargs)
File “/usr/local/lib/python2.7/dist-packages/botocore/signers.py”, line 90, in handler
return self.sign(operation_name, request)
File “/usr/local/lib/python2.7/dist-packages/botocore/signers.py”, line 156, in sign
auth.add_auth(request)
File “/usr/local/lib/python2.7/dist-packages/botocore/auth.py”, line 352, in add_auth
raise NoCredentialsError
NoCredentialsError: Unable to locate credentials
fatal: [localhost]: FAILED! => {
“boto3_version”: “1.7.50”,
“botocore_version”: “1.10.50”,
“changed”: false,
“invocation”: {
“module_args”: {
“aws_access_key”: null,
“aws_secret_key”: null,
“cidr_block”: [
“10.103.0.0/16”
],
“dhcp_opts_id”: null,
“dns_hostnames”: true,
“dns_support”: true,
“ec2_url”: null,
“multi_ok”: false,
“name”: “vpctest”,
“profile”: null,
“purge_cidrs”: false,
“region”: “us-east-1”,
“security_token”: null,
“state”: “present”,
“tags”: {
“Name”: “vpctest”
},
“tenancy”: “default”,
“validate_certs”: true
}
},
“msg”: “Failed to describe VPCs: Unable to locate credentials”
}
PLAY RECAP ********************************************************************************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1
Monday 06 August 2018 13:38:44 -0400 (0:00:01.726) 0:00:01.809 *********
Thanks a lot!!