Hi all,
I have a play book that just simply go and add instances to my ELB but apparently the user’s keys specified were not authorized to do the “DescribeLoadBalancers”. This user has a policy attached to it that allows to have full access to this ELB.
Task:
- name: Instance re-register
local_action: ec2_elb ec2_elbs=steventest region=us-east-1 instance_id=“{{ ansible_ec2_instance_id }}” state=present wait=yes wait_timeout=5 aws_access_key=A… aws_secret_key=…sc enable_availability_zone=no
I got this error message.
User: arn:aws:iam::123456789:user/elb_dedicated is not authorized to perform: elasticloadbalancing:DescribeLoadBalancers
From AWS doc http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/UsingIAM.html
Elastic Load Balancing does not support setting permissions for a user or a group to use the following APIs with a specific load balancer:
-
DescribeInstanceHealth -
DescribeLoadBalancerAttributes -
DescribeLoadBalancerPolicyTypes -
DescribeLoadBalancers -
DescribeLoadBalancerPolicies -
DescribeTags
You can continue to use the Describe APIs in the Action element of the policy statement to grant access to all ELB load balancers. However, if you use the Describe APIs in the Action element and also specify a load balancer ARN in the Resource element, the API call will fail.
So ec2_elb will work when i do not specify the specific ELB in the resource. This is the way AWS implemented access controls for ELBs and Ansible is not at fault here.
Policy attached to AWS user elb_dedicated and currently, I allowed all actions for this account to this steventest ELB.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “steventestelb”,
“Effect”: “Allow”,
“Action”: [
“elasticloadbalancing:*”
],
“Resource”: [
“arn:aws:elasticloadbalancing:us-east-1:123456789:loadbalancer/steventest”
]
}
]
}
So I removed all “Resource” and the final policy is this:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “steventestelb”,
“Effect”: “Allow”,
“Action”: [
“elasticloadbalancing:*”
]
}
]
}
With this policy, I still got the same error.
failed: [ec2-54-80-…compute-1.amazonaws.com → 127.0.0.1] => {“failed”: true, “parsed”: false}
invalid output was: Traceback (most recent call last):
File “/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb”, line 1874, in
main()
File “/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb”, line 317, in main
region=region, **aws_connect_params)
File “/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb”, line 123, in init
self.lbs = self._get_instance_lbs(ec2_elbs)
File “/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb”, line 264, in _get_instance_lbs
elbs = elb.get_all_load_balancers()
File “/usr/local/lib/python2.7/dist-packages/boto/ec2/elb/init.py”, line 135, in get_all_load_balancers
[(‘member’, LoadBalancer)])
File “/usr/local/lib/python2.7/dist-packages/boto/connection.py”, line 1166, in get_list
raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 Forbidden
Sender
AccessDenied
User: arn:aws:iam::123456789:user/elb_dedicated is not authorized to perform: elasticloadbalancing:DescribeLoadBalancers
04bd7b0d-3860-11e4-8ac6-5fafa616e3b3