Unable to run the aws cli command in playbook

• name: Change DBSNMP User Password in Oracle database and OMS

  hosts: localhost

  become: true

  become_user: root

  vars_files:

  • dbsnmp_oms_vault_sm.yml

  tasks:

  • name: Execute old password from AWS CLI command

    shell: |

    export AWS_ACCESS_KEY_ID={{ aws_access_key }}

    export AWS_SECRET_ACCESS_KEY={{ aws_secret_key }}

    export AWS_SESSION_TOKEN={{ aws_session_token }}

    args:

    executable: /bin/bash

  • name: Execute AWS CLI Command Locally

    shell: “/usr/local/bin/aws sts get-caller-identity”

    #cmd: “/usr/local/bin/aws secretsmanager get-secret-value --secret-id oracle_dbsnmp_user_pwd --query ‘SecretString’ --output json”

    register: old_pwd_aws_output

    delegate_to: localhost

    become: yes

    become_user: root

  • name: Display old password

    debug:

    msg: “{{ aws_access_key }} {{ old_pwd_aws_output.stdout_lines }}”

Error:
[ansibledba@itopslx03 playbooks]$ sudo ansible-playbook test1.yml

[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details

PLAY [Change DBSNMP User Password in Oracle database and OMS] ***************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************

ok: [localhost]

TASK [Execute old password from AWS CLI command] ****************************************************************************************

changed: [localhost]

TASK [Execute AWS CLI Command Locally] **************************************************************************************************

fatal: [localhost → localhost]: FAILED! => {“changed”: true, “cmd”: “/usr/local/bin/aws sts get-caller-identity”, “delta”: “0:00:00.825405”, “end”: “2025-03-14 07:21:45.635280”, “msg”: “non-zero return code”, “rc”: 254, “start”: “2025-03-14 07:21:44.809875”, “stderr”: “\nAn error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired”, “stderr_lines”: [“”, “An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired”], “stdout”: “”, “stdout_lines”: }

PLAY RECAP ******************************************************************************************************************************

localhost : ok=2 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

I’d recommend checking out the aws module rather than using aws-cli from the builtin shell module. A quick search of the command you are running shows this module as a likely starting place.

Also, if you’re running against localhost, you don’t need to export your env variables in your playbook (you can do that locally in your shell beforehand, or using a .env file).

Lastly, its highly unlikely that you need to run with become: root in your play, or with sudo in your invocation (and especially not both, I think).

As an aside, your code will be easier to read/debug if you use code formatting

Each task runs in separate process so environment variables will not persist between them.

You can set environment variable for the task though, like so:

    - name: Execute AWS CLI Command Locally
      shell: “/usr/local/bin/aws sts get-caller-identity”
      environment:
        AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
        AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}"
        AWS_SESSION_TOKEN: "{{ aws_session_token }}"
      register: old_pwd_aws_output
      delegate_to: localhost
      become: yes
      become_user: root

Secondly, not really sure why become is necessary there.

And can’t stress this enough, there are existing plugins to integrate with aws.

For example amazon.aws.secretsmanager_secret lookup plugin is what you’re after here:

    - name: Display old password
      debug:
        msg: “{{ aws_access_key }} {{ lookup('amazon.aws.secretsmanager_secret', 'oracle_dbsnmp_user_pwd', access_key=aws_access_key, secret_key=aws_secret_key, session_token=aws_session_token) }}”