Using 'aws login' with Dynamic Inventory plugin: amazon.aws.aws_ec2

I have been using the plugin: amazon.aws.aws_ec2 successfully for a while now.

I was successfully using aws-azure-login to get my AWS credentials, which works when it works but aws-azure-login doesn’t always work and has consumed many of my hours trying to restore functionality when it stopes working.

Today I tried use the ‘aws login’ which is part of the AWS CLI.
Login for AWS local development using console credentials - AWS Command Line Interface

I can log in and use the cli without issue, but the dynamic inventory plugin seems to be unaware of it.

I have tried exporting the variables:
eval "$(aws configure export-credentials --profile your-profile-name --format env)"

which seems to have worked

echo $AWS_ACCESS_KEY_ID
****************APD6

except that the dynamic library still isn’t working.
Any thoughts on what I might be missing or how I go about troubleshooting this?

For testing, I am just trying to list a single inventory file:

ansible-inventory -i honorapp_aws_ec2.yaml --list
[WARNING]: Unable to parse honorapp_aws_ec2.yaml as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
{
    "_meta": {
        "hostvars": {},
        "profile": "inventory_legacy"
    },
    "all": {
        "children": [
            "ungrouped"
        ]
    }
}

but I am logged in

aws configure export-credentials --format env
export AWS_ACCESS_KEY_ID=****************APD6
export AWS_SECRET_ACCESS_KEY=****************mRCM
export AWS_SESSION_TOKEN=****************8lXIQ=
export AWS_CREDENTIAL_EXPIRATION=2026-04-27T20:43:29+00:00

and I can use the CLI without issue.

As a hail mary, I tried grabbing the keys from the environment:

# The access key for your AWS account.
aws_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID') }}"
# The secret access key for your AWS account.
aws_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY') }}"

but with the same inventory result.

I am starting to think that whatever broke my aws-azure-login might have somehow also broken my dynamic inventory, which seems unlikely but …

Please help before I lose what is left of my mind.

I’m wondering if the plugin is parsing your inventory at all. Is INVENTORY_ENABLED configured? You can check with ansible-config dump --only-changed.

If it was an issue with the credentials, I’d expect more specific warnings like:

[WARNING]: Unexpected error while trying to list ec2 regions: Unable to locate credentials
[WARNING]: Failed to parse inventory with 'ansible_collections.amazon.aws.plugins.inventory.aws_ec2' plugin: Failed to describe instances: Unable to locate credentials

If that’s not configured, sharing your inventory file would provide more clues as to what’s happening.

You are right that the output I shared wasn’t showing the real issue because I wasn’t pointing at the correct inventory file.

When I run it correctly:
[WARNING]: Failed to parse inventory with 'auto' plugin: Couldn't connect to AWS: The source profile "default" must have credentials.

I have finally found a workable solution to this “issue”, but I am hoping there is a better approach as this doesn’t seem great.

When the new aws login feature runs, it does not create or update the file ~/.aws/credentials, and creating that file seems to be the only way to get ansible to understand my aws authentication.

So for now, instead of running aws login directly, I am running aws login --profile aws-login and then a bash script that uses aws configure set to create/update the credentials file.

CREDS=$(aws configure export-credentials --profile aws-login)

ACCESS_KEY=$(echo "$CREDS" | jq -r '.AccessKeyId')
SECRET_KEY=$(echo "$CREDS" | jq -r '.SecretAccessKey')
SESSION_TOKEN=$(echo "$CREDS" | jq -r '.SessionToken')
EXPIRATION=$(echo "$CREDS" | jq -r '.Expiration')

aws configure set aws_access_key_id "$ACCESS_KEY" --profile default
aws configure set aws_secret_access_key "$SECRET_KEY" --profile default
aws configure set aws_session_token "$SESSION_TOKEN" --profile default
aws configure set aws_expiration "$EXPIRATION" --profile default

This seems unnecessarily convoluted, but it is working so I am running with it for now.
I am also playing with Sourcing credentials with an external process in the AWS CLI - AWS Command Line Interface to see if I can figure out how to automatically fire the bash script for default.

I think something like this in ~/.aws/config should work but so far I am having no luck with it.

[default]
credential_process = "~/.aws/aws-login-workaround.sh"