-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
get_aws_connection_info: Explicitly specified credentials are overridden by the profile with boto3 #130
Comments
Given that this would be a fairly substantial change my feeling is that we take the opportunity to massively simplify the logic:
Thoughts? Objections? Note:
|
It's been pointed out that using ENV variables helps for general use, I think if we continue to use them there needs to be an easy to describe way of saying "Read everything from Profile" "Read everything from ENV" "Read everything from creds parameters", right now it's easy to end up with an ugly mix. |
@tremble Bear in mind that lookups are not a direct replacement for the usage of environment variables or boto configuration, because they run on the controller instead of the target host. E.g. the following playbook:
Results in this:
|
I don't think we want to remove support for ENV vars, or anything that AWS themselves support that we do today. Removing the silent sharp edges from what we have now though, and simplifying that logic, is a good idea. It might be good to start with documenting what are all the methods/combinations of methods a user could use for auth today, and making sure we have good test coverage for each of those scenarios. Then we can look at
|
I agree with all of @jillr's points. The bug looks like a breaking change from #99 (though 2.8 is mentioned, so maybe there are additional details that were glossed over?). I think that bit of code should be removed, just leaving the CA bundle addition. There are definitely interesting corner cases for credentials and it would be great to rework those though. (Also cc @AlanCoding in case Tower would be impacted by the features suggested) |
Profile has always overridden the other credential types, the difference is that we now support the AWS_PROFILE env var. Upstream documentation is https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html Reading through the comments I think the rough priorities/behaviour we want is:
What's unclear is how we should behave if there's a partial set of credentials configured |
@tremble Profile as a direct task parameter taking precedence is fine. Of course, we could possibly make it mutually exclusive in the future as you suggested (I haven't fully thought through the repercussions of doing that). The environment var for change seems wrong in retrospect and I probably should have known/remembered why additional sources for profile would add a bad corner case. The bigger picture, improving the mixed-credential situation, could break legitimate playbooks that have adopted Ansible's logic in that regard, so I see it needing a deprecation period and/or being featureish. I don't agree with the order you listed. Swapping the order of profile and keys is going to break so many playbooks. |
So 2,1, 4,3, 5 ? |
Yeah. I'm not sure if support for boto.config should be removed until we remove boto content. |
The boto3 docs say that it's a potential source, so I guess it should stay. |
Make profile mutually exclusive with other access tokens SUMMARY See also #130 Makes the profile parameter mutually exclusive with the aws_access_key, aws_secret_key and security_token parameters. ISSUE TYPE Feature Pull Request COMPONENT NAME plugins/module_utils/botocore.py ADDITIONAL INFORMATION See also: #151 and #130 Reviewed-by: Alina Buzachis <None>
Signed-off-by: Abhijeet Kasurde <[email protected]>
Signed-off-by: Abhijeet Kasurde <[email protected]>
Signed-off-by: Abhijeet Kasurde <[email protected]>
SUMMARY
I was looking at the code in
get_aws_connection_info
https://github.com/ansible-collections/amazon.aws/blob/main/plugins/module_utils/ec2.py#L331 and think I found a bug with profile and other credentials.If the user explicitly specifies both profile and other credentials (like security_token) in the playbook, profile silently overrides any of the given credentials. This is undesirable as the user has the most control over the playbook parameters so playbook parameters should either take precedence over profile or these playbook parameters should be mutually_exclusive with the profile.
I also see that the profile is being retrieved from environment variables if the profile_name is not set. That will have to be rethought in this case too.... Perhaps implementing the playbook parameters overriding the profile is the only way to make this work.
Precedence of values should be (earliest entry should override anything later):
ISSUE TYPE
COMPONENT NAME
lib/ansible/module_utils/ec2.py
ANSIBLE VERSION
This exists on 2.8 as well but I'm not sure if it should be backported as it is a new deprecation.
CONFIGURATION
OS / ENVIRONMENT
N/A
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: