SSM connection doesn't use regional S3 endpoint #1190
Labels
Comments
|
Files identified in the description: If these files are inaccurate, please update the |
tremble
pushed a commit
that referenced
this issue
Jun 30, 2022
…n var (#1176) SUMMARY Fix issue where syntax error is reported if using ssm connection and the target node is located in a different region to the s3 bucket. Fixes #1190, #637 ISSUE TYPE Bugfix Pull Request COMPONENT NAME aws_ssm connection plugin ADDITIONAL INFORMATION When using SSM for ansible connection and the target node is in a different region to the s3 bucket used, the playbook immediately errors with the following. (There are no issues when both target and s3 bucket are in the same region) fatal: [i-04444a7f03cc2bffd]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"ansible.legacy.setup": {"failed": true, "module_stderr": "", "module_stdout": " File \"/tmp/ansible/ansible-tmp-1653576081.8378458-29658-258097978113216/AnsiballZ_setup.py\", line 1\r\r\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\r\n ^\r\r\nSyntaxError: invalid syntax\r\r", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}}, "msg": "The following modules failed to execute: ansible.legacy.setup\n"} The tmp file has the following contents <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AuthorizationQueryParametersError</Code><Message>Error parsing the X-Amz-Credential parameter; the region 'us-east-1' is wrong; expecting 'eu-west-1'</Message><Region>eu-west-1</Region><RequestId>4VTAGR4C1V9ATBJT</RequestId><HostId>OahjGsFQHlr3ihxobH/yyH7Mzxq98mwjcb6+J3Y2EifDU7FykCe8b6QJTNodIG5WSquVeJF+Zsk=</HostId></Error> Steps to reproduce: run an ansible playbook using the following: aws_ec2 inventory aws_ssm connection type specify an s3 bucket (ansible_aws_ssm_bucket_name var) that is in a different location to the target node The presigned url generated includes the region the s3 bucket is in, so this region must be used for the session obtained in the _get_url function.
patchback bot
pushed a commit
that referenced
this issue
Jun 30, 2022
…n var (#1176) SUMMARY Fix issue where syntax error is reported if using ssm connection and the target node is located in a different region to the s3 bucket. Fixes #1190, #637 ISSUE TYPE Bugfix Pull Request COMPONENT NAME aws_ssm connection plugin ADDITIONAL INFORMATION When using SSM for ansible connection and the target node is in a different region to the s3 bucket used, the playbook immediately errors with the following. (There are no issues when both target and s3 bucket are in the same region) fatal: [i-04444a7f03cc2bffd]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"ansible.legacy.setup": {"failed": true, "module_stderr": "", "module_stdout": " File \"/tmp/ansible/ansible-tmp-1653576081.8378458-29658-258097978113216/AnsiballZ_setup.py\", line 1\r\r\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\r\n ^\r\r\nSyntaxError: invalid syntax\r\r", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}}, "msg": "The following modules failed to execute: ansible.legacy.setup\n"} The tmp file has the following contents <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AuthorizationQueryParametersError</Code><Message>Error parsing the X-Amz-Credential parameter; the region 'us-east-1' is wrong; expecting 'eu-west-1'</Message><Region>eu-west-1</Region><RequestId>4VTAGR4C1V9ATBJT</RequestId><HostId>OahjGsFQHlr3ihxobH/yyH7Mzxq98mwjcb6+J3Y2EifDU7FykCe8b6QJTNodIG5WSquVeJF+Zsk=</HostId></Error> Steps to reproduce: run an ansible playbook using the following: aws_ec2 inventory aws_ssm connection type specify an s3 bucket (ansible_aws_ssm_bucket_name var) that is in a different location to the target node The presigned url generated includes the region the s3 bucket is in, so this region must be used for the session obtained in the _get_url function. (cherry picked from commit 1be7da1)
patchback bot
pushed a commit
that referenced
this issue
Jun 30, 2022
…n var (#1176) SUMMARY Fix issue where syntax error is reported if using ssm connection and the target node is located in a different region to the s3 bucket. Fixes #1190, #637 ISSUE TYPE Bugfix Pull Request COMPONENT NAME aws_ssm connection plugin ADDITIONAL INFORMATION When using SSM for ansible connection and the target node is in a different region to the s3 bucket used, the playbook immediately errors with the following. (There are no issues when both target and s3 bucket are in the same region) fatal: [i-04444a7f03cc2bffd]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"ansible.legacy.setup": {"failed": true, "module_stderr": "", "module_stdout": " File \"/tmp/ansible/ansible-tmp-1653576081.8378458-29658-258097978113216/AnsiballZ_setup.py\", line 1\r\r\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\r\n ^\r\r\nSyntaxError: invalid syntax\r\r", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}}, "msg": "The following modules failed to execute: ansible.legacy.setup\n"} The tmp file has the following contents <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AuthorizationQueryParametersError</Code><Message>Error parsing the X-Amz-Credential parameter; the region 'us-east-1' is wrong; expecting 'eu-west-1'</Message><Region>eu-west-1</Region><RequestId>4VTAGR4C1V9ATBJT</RequestId><HostId>OahjGsFQHlr3ihxobH/yyH7Mzxq98mwjcb6+J3Y2EifDU7FykCe8b6QJTNodIG5WSquVeJF+Zsk=</HostId></Error> Steps to reproduce: run an ansible playbook using the following: aws_ec2 inventory aws_ssm connection type specify an s3 bucket (ansible_aws_ssm_bucket_name var) that is in a different location to the target node The presigned url generated includes the region the s3 bucket is in, so this region must be used for the session obtained in the _get_url function. (cherry picked from commit 1be7da1)
softwarefactory-project-zuul bot
pushed a commit
that referenced
this issue
Jun 30, 2022
…n var (#1176) (#1291) [PR #1176/1be7da11 backport][stable-4] ssm connection: pull bucket region info rather than taking from region var This is a backport of PR #1176 as merged into main (1be7da1). SUMMARY Fix issue where syntax error is reported if using ssm connection and the target node is located in a different region to the s3 bucket. Fixes #1190, #637 ISSUE TYPE Bugfix Pull Request COMPONENT NAME aws_ssm connection plugin ADDITIONAL INFORMATION When using SSM for ansible connection and the target node is in a different region to the s3 bucket used, the playbook immediately errors with the following. (There are no issues when both target and s3 bucket are in the same region) fatal: [i-04444a7f03cc2bffd]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"ansible.legacy.setup": {"failed": true, "module_stderr": "", "module_stdout": " File \"/tmp/ansible/ansible-tmp-1653576081.8378458-29658-258097978113216/AnsiballZ_setup.py\", line 1\r\r\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\r\n ^\r\r\nSyntaxError: invalid syntax\r\r", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}}, "msg": "The following modules failed to execute: ansible.legacy.setup\n"} The tmp file has the following contents <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AuthorizationQueryParametersError</Code><Message>Error parsing the X-Amz-Credential parameter; the region 'us-east-1' is wrong; expecting 'eu-west-1'</Message><Region>eu-west-1</Region><RequestId>4VTAGR4C1V9ATBJT</RequestId><HostId>OahjGsFQHlr3ihxobH/yyH7Mzxq98mwjcb6+J3Y2EifDU7FykCe8b6QJTNodIG5WSquVeJF+Zsk=</HostId></Error> Steps to reproduce: run an ansible playbook using the following: aws_ec2 inventory aws_ssm connection type specify an s3 bucket (ansible_aws_ssm_bucket_name var) that is in a different location to the target node The presigned url generated includes the region the s3 bucket is in, so this region must be used for the session obtained in the _get_url function. Reviewed-by: Mark Chappell <None>
softwarefactory-project-zuul bot
pushed a commit
that referenced
this issue
Jun 30, 2022
…n var (#1176) (#1290) [PR #1176/1be7da11 backport][stable-3] ssm connection: pull bucket region info rather than taking from region var This is a backport of PR #1176 as merged into main (1be7da1). SUMMARY Fix issue where syntax error is reported if using ssm connection and the target node is located in a different region to the s3 bucket. Fixes #1190, #637 ISSUE TYPE Bugfix Pull Request COMPONENT NAME aws_ssm connection plugin ADDITIONAL INFORMATION When using SSM for ansible connection and the target node is in a different region to the s3 bucket used, the playbook immediately errors with the following. (There are no issues when both target and s3 bucket are in the same region) fatal: [i-04444a7f03cc2bffd]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"ansible.legacy.setup": {"failed": true, "module_stderr": "", "module_stdout": " File \"/tmp/ansible/ansible-tmp-1653576081.8378458-29658-258097978113216/AnsiballZ_setup.py\", line 1\r\r\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\r\n ^\r\r\nSyntaxError: invalid syntax\r\r", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}}, "msg": "The following modules failed to execute: ansible.legacy.setup\n"} The tmp file has the following contents <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AuthorizationQueryParametersError</Code><Message>Error parsing the X-Amz-Credential parameter; the region 'us-east-1' is wrong; expecting 'eu-west-1'</Message><Region>eu-west-1</Region><RequestId>4VTAGR4C1V9ATBJT</RequestId><HostId>OahjGsFQHlr3ihxobH/yyH7Mzxq98mwjcb6+J3Y2EifDU7FykCe8b6QJTNodIG5WSquVeJF+Zsk=</HostId></Error> Steps to reproduce: run an ansible playbook using the following: aws_ec2 inventory aws_ssm connection type specify an s3 bucket (ansible_aws_ssm_bucket_name var) that is in a different location to the target node The presigned url generated includes the region the s3 bucket is in, so this region must be used for the session obtained in the _get_url function. Reviewed-by: Mark Chappell <None>
1 task
1 task
|
Can we reopen this issue? The referenced PR in the close action above (#1176) does not seem to resolve this particular issue. That PR was targeting a fix for pulling the region information for the S3 bucket used for SSM file transfers from the bucket metadata itself, but the pre-signed URLs generated for the S3 downloads are still pointing at the global S3 endpoint, and not the region specific one. This still creates the issue indicated in #637 (which also needs to be reopened), where newly created S3 buckets returned 307 redirects from the global endpoint to use the regional endpoint instead within the first 24 hours, and then the signature fails as the signature was intended for the global endpoint and not the regional endpoint. |
1 task
Closed
1 task
abikouo
pushed a commit
to abikouo/community.aws
that referenced
this issue
Oct 24, 2023
…nsible-collections#1200) route53_health_check: Add health_check info on updating health check SUMMARY Fixes ansible-collections#1190 Added health check info in output when updating a Route53 health check with use_unique_names: true. ISSUE TYPE Bugfix Pull Request COMPONENT NAME route53_health_check Reviewed-by: Mike Graves <[email protected]> Reviewed-by: GomathiselviS <None> Reviewed-by: Mandar Kulkarni <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
When using
ansible_connection: aws_ssmthe url used to download data from a bucket is always*.s3.amazonaws.comregardless of the region specified inansible_aws_ssm_region.This causes issues since in restricted environments the EC2 instance has to use the S3 gateway endpoint which is only available using the region specific url, for example
*.s3.eu-central-1.amazonaws.comIssue Type
Bug Report
Component Name
s3
Ansible Version
Collection Versions
$ ansible-galaxy collection listAWS SDK versions
Configuration
$ ansible-config dump --only-changedOS / Environment
Ubuntu 22
Steps to Reproduce
Expected Results
Ansible should use the region specific s3 url for download
Actual Results
EXEC curl 'https://my-bucket.s3.amazonaws.com/...Code of Conduct
The text was updated successfully, but these errors were encountered: