Using 'aws login' with Dynamic Inventory plugin: amazon.aws.aws_ec2

Get Help
, ,
1

I have been using the plugin: amazon.aws.aws_ec2 successfully for a while now.

I was successfully using aws-azure-login to get my AWS credentials, which works when it works but aws-azure-login doesn’t always work and has consumed many of my hours trying to restore functionality when it stopes working.

Today I tried use the ‘aws login’ which is part of the AWS CLI.
Login for AWS local development using console credentials - AWS Command Line Interface

I can log in and use the cli without issue, but the dynamic inventory plugin seems to be unaware of it.

I have tried exporting the variables:
eval "$(aws configure export-credentials --profile your-profile-name --format env)"

which seems to have worked

echo $AWS_ACCESS_KEY_ID
****************APD6

except that the dynamic library still isn’t working.
Any thoughts on what I might be missing or how I go about troubleshooting this?

For testing, I am just trying to list a single inventory file:

ansible-inventory -i honorapp_aws_ec2.yaml --list
[WARNING]: Unable to parse honorapp_aws_ec2.yaml as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
{
    "_meta": {
        "hostvars": {},
        "profile": "inventory_legacy"
    },
    "all": {
        "children": [
            "ungrouped"
        ]
    }
}

but I am logged in

aws configure export-credentials --format env
export AWS_ACCESS_KEY_ID=****************APD6
export AWS_SECRET_ACCESS_KEY=****************mRCM
export AWS_SESSION_TOKEN=****************8lXIQ=
export AWS_CREDENTIAL_EXPIRATION=2026-04-27T20:43:29+00:00

and I can use the CLI without issue.

As a hail mary, I tried grabbing the keys from the environment:

# The access key for your AWS account.
aws_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID') }}"
# The secret access key for your AWS account.
aws_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY') }}"

but with the same inventory result.

I am starting to think that whatever broke my aws-azure-login might have somehow also broken my dynamic inventory, which seems unlikely but …

Please help before I lose what is left of my mind.

2

I’m wondering if the plugin is parsing your inventory at all. Is INVENTORY_ENABLED configured? You can check with ansible-config dump --only-changed.

If it was an issue with the credentials, I’d expect more specific warnings like:

[WARNING]: Unexpected error while trying to list ec2 regions: Unable to locate credentials
[WARNING]: Failed to parse inventory with 'ansible_collections.amazon.aws.plugins.inventory.aws_ec2' plugin: Failed to describe instances: Unable to locate credentials

If that’s not configured, sharing your inventory file would provide more clues as to what’s happening.

3

You are right that the output I shared wasn’t showing the real issue because I wasn’t pointing at the correct inventory file.

When I run it correctly:
[WARNING]: Failed to parse inventory with 'auto' plugin: Couldn't connect to AWS: The source profile "default" must have credentials.

I have finally found a workable solution to this “issue”, but I am hoping there is a better approach as this doesn’t seem great.

When the new aws login feature runs, it does not create or update the file ~/.aws/credentials, and creating that file seems to be the only way to get ansible to understand my aws authentication.

So for now, instead of running aws login directly, I am running aws login --profile aws-login and then a bash script that uses aws configure set to create/update the credentials file.

CREDS=$(aws configure export-credentials --profile aws-login)

ACCESS_KEY=$(echo "$CREDS" | jq -r '.AccessKeyId')
SECRET_KEY=$(echo "$CREDS" | jq -r '.SecretAccessKey')
SESSION_TOKEN=$(echo "$CREDS" | jq -r '.SessionToken')
EXPIRATION=$(echo "$CREDS" | jq -r '.Expiration')

aws configure set aws_access_key_id "$ACCESS_KEY" --profile default
aws configure set aws_secret_access_key "$SECRET_KEY" --profile default
aws configure set aws_session_token "$SESSION_TOKEN" --profile default
aws configure set aws_expiration "$EXPIRATION" --profile default

This seems unnecessarily convoluted, but it is working so I am running with it for now.
I am also playing with Sourcing credentials with an external process in the AWS CLI - AWS Command Line Interface to see if I can figure out how to automatically fire the bash script for default.

I think something like this in ~/.aws/config should work but so far I am having no luck with it.

[default]
credential_process = "~/.aws/aws-login-workaround.sh"
4

That’s strange, you should be able to use the environment variables as-is. Do you have a profile set?

I can reproduce the specific error you’re getting by using default as a source_profile in the ~/.aws/config:

[default]
region = us-east-1

[profile dev]
role_arn = arn:aws:iam:123456789012:role/DevRole
source_profile = default  # has no credentials configured

# aws_ec2.yml
plugin: amazon.aws.aws_ec2
profile: dev

If you need to become a role, you can do this without a ~/.aws/config by using assume_role_arn.

5

Starting over from scratch to make sure that different authentication attempts aren’t interfering with each other, I renamed my .aws folder to .aws-back.

Then I ran aws login.
My .aws/config:

[default]
login_session = arn:aws:sts::402300540126:assumed-role/Admin/awilson@rfx-tech.com
region = us-east-1

I tried ansible-inventory -i inventory/honorapp_aws_ec2.yaml --list
and understandably:
[WARNING]: Failed to parse inventory with 'auto' plugin: Couldn't connect to AWS: The config profile (the-honor-flight-application) could not be found

So I copied that profile entry over from my earlier setup into the new config:

[profile the-honor-flight-application]
output = json
region = us-east-1
source_profile = default
role_arn = arn:aws:iam::340910345491:role/RFX_Admins

Which gave me the output:
[WARNING]: Failed to parse inventory with 'auto' plugin: Couldn't connect to AWS: The source profile "default" must have credentials.

So I removed that profile and then ran aws login --profile the-honor-flight-application which allowed me to authenticate and added an entry to my config:

[profile the-honor-flight-application]
login_session = arn:aws:sts::340910345491:assumed-role/RFX_Admins/awilson@rfx-tech.com
region = us-east-1

but running the inventory command gave me [WARNING]: Failed to parse inventory with 'auto' plugin: Failed to describe instances: Unable to locate credentials

Removing the new profile created by that login and restoring the old profile with source_profile = default and then running my script to create a credentials file restores my ability to list inventory for that profile.

6

I have about 60 profiles, give or take.
My dynamic inventory starts with:

plugin: amazon.aws.aws_ec2
aws_profile: the-honor-flight-application

I tried swapping the profile with the arn which unfortunately has the same credentials issue. I can see the advantage of not needing the profile to make it work, though, so I am going to look more into incorporating this approach instead.

7

Thanks for the additional info. I’ve been unable to reproduce the issue with when using aws login with a normal IAM user. I see you’re using a federated IAM user though, so I wonder if that could be a factor. I’d expect your ~/.aws/config to just work.

I’m really perplexed why the environment variables don’t work (even more so if you’re seeing the same error regarding the source_profile default). If an access key/secret key/session token are provided alongside a profile, you should get an error that conflicting methods of authentication are provided.

Hopefully others with more ideas will chime in. Sorry to be of no help.

8

Thank you so much @shertel for your help. Sometimes just knowing something should work is enough to keep trying until it does.

I tried a few more configurations and seem to have stumbled upon something that works.

I think part of the issue I was having with ansible (and terraform and probably other tools I didn’t try) was the shift in authentication mechanisms without entirely clearing out all other mechanisms.

What I mean is that aws-azure-login would create an aws/credentials file but aws login doesn’t.

When running things other than aws cli, the credentials file was still being used but was invalid. This was hard to realize because all of the core aws cli functions were using the new method.

I completely removed my .aws folder and started over with just the aws login and found this combination worked well:

Start with aws login --profile aws-login which automatically creates this in .aws/config.

[profile aws-login]
login_session = arn:aws:sts::402300540126:assumed-role/Admin/awilson@rfx-tech.com
region = us-east-1

Then, manually add this to .aws/config

[default]
region = us-east-1
credential_process = aws configure export-credentials --profile aws-login --format process

All other profiles can still reference the default

[profile the-honor-flight-application]
source_profile = default

This is working for me today.
If I understand correctly, using default (which just about all my profiles do) causes default to call the aws-login profile and output the expected authentication mechanisms.
When I try to use aws login for the default profile, things like ansible do not authenticate correctly.