Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_ssm: Wrong pre-signed URL when curl-ing AnsiballZ_systemd.py on newer AWS regions #1616

Closed
1 task done
mfornasa opened this issue Dec 8, 2022 · 1 comment · Fixed by #1674
Closed
1 task done

aws_ssm: Wrong pre-signed URL when curl-ing AnsiballZ_systemd.py on newer AWS regions #1616

mfornasa opened this issue Dec 8, 2022 · 1 comment · Fixed by #1674
Labels
bug This issue/PR relates to a bug connection connection plugin needs_triage plugins plugin (any type) python3

Comments

@mfornasa
Copy link

mfornasa commented Dec 8, 2022
edited
Loading

Summary

AWS changed the behaviour of S3 in newer AWS regions (e.g. eu-south-1), so boto3 does not generate the correct pre-signed URL. This breaks aws-ssm when downloading AnsiballZ_systemd.py. The command:

<i-XXXXX> EXEC curl 'https://s3.eu-south-1.amazonaws.com/....../.ansible/tmp/ansible-tmp-1670516070.746575-42763-145799413608234/AnsiballZ_setup.py?X-Amz-Algorithm=...'

is return the following error:

The eu-south-1 location constraint is incompatible for the region specific endpoint this request was sent to.

A possible workaround can be found here: boto/boto3#3015 (comment)

I implemented a super-dirty workaround in file plugins/connection/aws_ssm.py, function _get_boto_client:

        if service == "s3" and region_name is not None:
            client = session.client(
                service,
                endpoint_url="https://s3." + region_name + ".amazonaws.com",
                config=Config(signature_version="s3v4")
            )
        else:
            client = session.client(
                service,
                config=Config(signature_version="s3v4")
            )
        return client

It works for me now. I did not test it on other regions / parameter combinations.

Issue Type

Bug Report

Component Name

aws_ssm

Ansible Version

$ ansible --version
ansible [core 2.13.6]
  config file = /Users/mf/mf/github/infra-ansible/ansible.cfg
  configured module search path = ['/Users/mf/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/6.6.0/libexec/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/mf/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.11.0 (main, Oct 25 2022, 13:57:33) [Clang 14.0.0 (clang-1400.0.29.202)]
  jinja version = 3.1.2
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
[...]
Collection    Version
------------- -------
amazon.aws    5.1.0
community.aws 5.0.0

OS / Environment

MacOS Monterey

Steps to Reproduce

Execute a playbook using aws_ssm access.

Expected Results

Playbook execution gives an error.

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@ansibullbot
Copy link

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot ansibullbot added bug This issue/PR relates to a bug connection connection plugin needs_triage plugins plugin (any type) python3 labels Dec 8, 2022
@tremble tremble mentioned this issue Jan 23, 2023
Merged
softwarefactory-project-zuul bot pushed a commit that referenced this issue Jan 23, 2023
@tremble
aws_ssm - split S3 region/endpoint discovery into dedicated function (#…
8237ebb 
…1674)

aws_ssm - split S3 region/endpoint discovery into dedicated function

Depends-On: #1670
SUMMARY
fixes: #1616
Newer AWS regions don't generate valid presigned URLs unless you explicitly pass the endpoint_url for the region (see also boto/boto3#3015)
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
aws_ssm
ADDITIONAL INFORMATION

Reviewed-by: Markus Bergholz <git@osuv.de>
Reviewed-by: Alina Buzachis <None>
patchback bot pushed a commit that referenced this issue Jan 23, 2023
@tremble @patchback
aws_ssm - split S3 region/endpoint discovery into dedicated function (#…
9fcd4ef 
…1674)

aws_ssm - split S3 region/endpoint discovery into dedicated function

Depends-On: #1670
SUMMARY
fixes: #1616
Newer AWS regions don't generate valid presigned URLs unless you explicitly pass the endpoint_url for the region (see also boto/boto3#3015)
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
aws_ssm
ADDITIONAL INFORMATION

Reviewed-by: Markus Bergholz <git@osuv.de>
Reviewed-by: Alina Buzachis <None>
(cherry picked from commit 8237ebb)
@patchback patchback bot mentioned this issue Jan 23, 2023
Merged
softwarefactory-project-zuul bot pushed a commit that referenced this issue Jan 23, 2023
@patchback
aws_ssm - split S3 region/endpoint discovery into dedicated function (#…
a2f6dbd 
…1674) (#1677)

[PR #1674/8237ebb7 backport][stable-5] aws_ssm - split S3 region/endpoint discovery into dedicated function

This is a backport of PR #1674 as merged into main (8237ebb).
Depends-On: #1670
SUMMARY
fixes: #1616
Newer AWS regions don't generate valid presigned URLs unless you explicitly pass the endpoint_url for the region (see also boto/boto3#3015)
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
aws_ssm
ADDITIONAL INFORMATION

Reviewed-by: Markus Bergholz <git@osuv.de>
@tremble tremble mentioned this issue Jan 25, 2023
Closed
1 task
abikouo pushed a commit to abikouo/community.aws that referenced this issue Oct 24, 2023
@taehopark32
Added started and stopped states for rds cluster (ansible-collections…
51eeebb 
…#1647)

Added started and stopped states for rds cluster

SUMMARY

Fixes ansible-collections#1616

ISSUE TYPE


Feature Pull Request

COMPONENT NAME

plugins/modules/rds_cluster.py
ADDITIONAL INFORMATION

Reviewed-by: Alina Buzachis
Reviewed-by: Mike Graves <mgraves@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue/PR relates to a bug connection connection plugin needs_triage plugins plugin (any type) python3
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

aws_ssm - split S3 region/endpoint discovery into dedicated function tremble/community.aws
2 participants
@mfornasa @ansibullbot