Help: aws_ec2 inventory fails with 'NoneType' error and reserved name 'tags' warning

Get Help
, , , ,
1

Hi everyone,

I need some help troubleshooting a persistent NoneType error when trying to use the aws_ec2 inventory plugin combined with the amazon.aws.aws_ssm connection plugin.

I have already verified my AWS infrastructure side:

  1. The EC2 instance has full network connectivity to the SSM endpoints (tested via curl from inside the instance).
  2. The IAM Role attached to the EC2 instance is fully active (Attached entities: 1) and includes AmazonSSMManagedInstanceCore along with explicit permissions for ssm:SendCommand, ssm:GetCommandInvocation, ssm:ListCommandInvocations, and ssm:CancelCommand.
  3. My local AWS credentials have full Administrator access.

Despite having the network and IAM permissions correctly configured, the ad-hoc ping command fails immediately. It shows a warning about a reserved variable name tags right before throwing the NoneType exception.

Steps to reproduce:

  1. Set up an aws_ec2 inventory file using keyed_groups to organize instances by their AWS tags.
  2. Configure the connection plugin to use amazon.aws.aws_ssm.
  3. Run the ad-hoc command: ansible -i inventories/aws_ec2.yml all -m ping

My Current Inventory Configuration (inventories/aws_ec2.yml):
plugin: amazon.aws.aws_ec2
regions:

  • us-east-1

keyed_groups:

  • key: tags
    prefix: tag

compose:
ansible_connection: “amazon.aws.aws_ssm”
ansible_aws_ssm_region: “us-east-1”
ansible_user: “ssm-user”

Relevant Logs & Error Output:
renatomadeiamuiambo@Waka-Muiambo-2 ansible % ansible -i inventories/aws_ec2.yml all -m ping
[WARNING]: Found variable using reserved name ‘tags’.
Origin:

tags

[ERROR]: Task failed: expected string or bytes-like object, got ‘NoneType’
Origin: <adhoc ‘ping’ task>

{‘action’: ‘ping’, ‘args’: {}, ‘timeout’: 0, ‘async_val’: 0, ‘poll’: 15}

ec2-3-90-239-179.compute-1.amazonaws.com | FAILED! => {
“changed”: false,
“msg”: “Task failed: expected string or bytes-like object, got ‘NoneType’”
}

2

I haven’t tried to use ping with aws_ssm before.
My setup (very similar to yours) is working, but I get the same error when I try to use -m ping.

3

I don’t know if this is helpful, but I started poking around and realized that part of the issue that ping was having was the fact that the SSM bucket permissions weren’t allowing me to access the bucket in that context.

Once I resolved that I started getting a different error:
Unexpected failure during module execution: An error occurred (TargetNotConnected) when calling the StartSession operation: i-05af6a78627c78b11 is not connected.

I am pretty sure the warning about the tag is something that needs to be taken care of, but I have been getting that line when running my playbooks for a while now.

Have you tried running the ping with -vvv to see if there is more useful information there?

I have no reason to think these compose values are better than yours, but they are a little different:

compose:
  ansible_host: public_dns_name
  ansible_connection: "'community.aws.aws_ssm'"
  ansible_aws_ssm_instance_id: instance_id
  ansible_aws_ssm_region: placement.region
  ansible_aws_ssm_bucket_name: "'[redacted]'"
  aws_ssm_role_arn: "'arn:aws:iam::[redacted]:role/[redacted]"