-
Notifications
You must be signed in to change notification settings - Fork 395
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_kms_info - Gracefully Handle Keys That Don't Allow kms:GetKeyRotationStatus API Calls #199
aws_kms_info - Gracefully Handle Keys That Don't Allow kms:GetKeyRotationStatus API Calls #199
Conversation
…calls Some AWS KMS keys (e.g. aws/acm) do not allow permissions to call the API kms:GetKeyRotationStatus. As a result, module execution fails, even if the user execuing it has full admin privileges. Example: https://forums.aws.amazon.com/thread.jspa?threadID=312992
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many thanks for your contribution.
We have some test cases (they care currently only run 'manually') do you think you could update the integration test to account for this issue and help avoid a regression?
Update documentation to reflect this use case. Use helper to track the exception.
Trying to think of a good integration test to cover this situation. Would something like this work:
|
tests/integration/targets/aws_kms/ already contains a suite of tests. My suggestion would be that as one of the last tests before the key is scheduled for deletion you set a new policy on the key that includes an explicit deny (for everyone) on kms:GetKeyRotationStatus. You then attempt to fetch the info for that key. |
That makes sense. I added an integration test that (I think) covers this situation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor thing for the future, and possibly for your playbooks, the templating engine used by Ansible doesn't like "== None", it needs "is undefined" for a situation like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good and local tests show the expected behaviour.
Many thanks for your contribution. Now for me to fix the aws_kms issue and some minor bugs in the test suite :) |
Thank you! |
…tionStatus API Calls (ansible-collections#199) * Gracefully handle keys that don't allow kms:GetKeyRotationStatus API calls Some AWS KMS keys (e.g. aws/acm) do not allow permissions to call the API kms:GetKeyRotationStatus. As a result, module execution fails, even if the user execuing it has full admin privileges. Example: https://forums.aws.amazon.com/thread.jspa?threadID=312992 * change log fragment * Return None if key rotation status can't be determined Update documentation to reflect this use case. Use helper to track the exception. * Add integration tests
…tionStatus API Calls (ansible-collections#199) * Gracefully handle keys that don't allow kms:GetKeyRotationStatus API calls Some AWS KMS keys (e.g. aws/acm) do not allow permissions to call the API kms:GetKeyRotationStatus. As a result, module execution fails, even if the user execuing it has full admin privileges. Example: https://forums.aws.amazon.com/thread.jspa?threadID=312992 * change log fragment * Return None if key rotation status can't be determined Update documentation to reflect this use case. Use helper to track the exception. * Add integration tests
* Add AWSRetries to standard ec2_vol boto3 calls * changelog
SUMMARY
Some AWS KMS keys (e.g. aws/acm) do not allow permissions to call the API
kms:GetKeyRotationStatus. As a result, module execution fails, even if the
user executing it has full admin privileges (example).
ISSUE TYPE
COMPONENT NAME
aws_kms_info.py
ADDITIONAL INFORMATION
The following module execution:
will fail with the following error:
Key ID
3b5bbd74-1234-abcd-1234-1234abcd1234
in the example above isaws/acm
key.