Setting aws_access_key/aws_secret_key in AWS Dyn Inventory config doesn't work?

Ubuntu 22.04 VM, Ansible 2.16.11 from PPA, amazon.aws 8.2.1 here.

The official docs (Dynamic Inventory Plugin — Ansible Community Documentation ) state that you can do this:

# demo.aws_ec2.yml
plugin: amazon.aws.aws_ec2

# The access key for your AWS account.
aws_access_key: <YOUR-AWS-ACCESS-KEY-HERE>
# The secret access key for your AWS account.
aws_secret_key: <YOUR-AWS-SECRET-KEY-HERE>

Now, it’s not my intention to pass credentials in cleartext, I’m just learning/researching/debugging here. The fact is, I can’t get it to work with the variables set directly in the AWS Dynamic Inventory config file (aws_ec2.yml). Tried it with and without quotes. I’m getting the following error:

 ansible-playbook --flush-cache lsn13.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Create AWS instances] *************************************************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************************************************************
ok: [localhost]

TASK [Create instances] *****************************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.NoCredentialsError: Unable to locate credentials
failed: [localhost] (item=build) => {"ansible_loop_var": "item", "boto3_version": "1.35.26", "botocore_version": "1.35.26", "changed": false, "item": "build", "msg": "Could not describe default VPC: Unable to locate credentials"}

Note that the plugin config seems to have been parsed successfully, the error occurs when trying to create an instance.

Is what I’m trying to do just not supported anymore?

Your mistake is assuming that setting the credentials for the inventory plugin is in any way related to module execution. It’s not. Those credential settings are only used by the inventory plugin itself.

2 Likes

Ah, I see. I was confused by the fact that AWS credentials set as environmental variables worked for both.

1 Like