4

I'm trying to use Ansible's ./ec2.py --list --refresh-cache to list my AWS EC2 instances.

Via documentation, I've run through this checklist:

  • AWS (docs via Amazon's Controlling Access to Amazon EC2 Resources & Error Codes)
    • Create an IAM User and corresponding IAM Group
    • Associated that User with that Group
    • Added a very open policy to the IAM Group*
  • CLI (docs via Ansible's Dynamic Inventory)
    • Install pip and boto
    • Create a ~/.boto file including aws_access_key_id and aws_secret_access_key which I received from the AWS IAM User's Access Credentials
    • Installed ec2.py and ec2.ini to the same path and left both files untouched
    • Run ./ec2.py --list --refresh-cache

*My policy:

{
  "Statement": [
    {
      "Sid": "Stmt1427001800780",
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

I did that and expected to be able to list the EC2 instances via ec2.py which essentially routes through boto, but actually saw Error connecting to AWS backend. You are not authorized to perform this operation. I am however able to ssh directly into my EC2 instance via ssh ubuntu@[ip].

I'm really banging my head against the wall here. What am I doing wrong?

EDIT: adding some new information as per @EEAA's suggestion

When I use pprint.pprint(e) on Amazon's response:

EC2ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>b985d559-c410-4462-8b10-e0819fd81f12</RequestID></Response>

My ~/.boto is configured like so: 

[Credentials]
aws_access_key_id = removed
aws_secret_access_key = removed
Morgan Delaney
  • 141
  • 1
  • 5
  • 1) What does AWS Support say? 2) Please post the full output of the command, run in verbose mode if possible. 3) Remove the bits about your ssh keys and being able to ssh into your instances - this has nothing to do with AWS API interactions. – EEAA Mar 22 '15 at 22:17
  • show the full output including errors, and show what your `~/.boto` file looks like. – tedder42 Mar 22 '15 at 22:27
  • @EEAA @tedder42 Added verbose `ec2.py` and `~/.boto` information to answer. @EEAA I came to SO before going to Amazon support, and if it's not a common mistake, I'll go there, thank you for direction. – Morgan Delaney Mar 22 '15 at 22:49

5 Answers5

7

I was getting 'Forbidden' as the response to './ec2.py --list'. It looks like a bug when not using RDS and a query request to describe RDS resources is made (as is the default with this plugin). Just disable the request in ec2.ini like this:

    rds = False
caffeinate_me
  • 71
  • 1
  • 3
6

If not using ElasticCache you have to set that to False as well. So uncomment

elasticache = False
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Jishnu Kinwar
  • 181
  • 1
  • 1
0

I found that it was necessary to attach IAM users and groups to the AmazonEC2FullAccess policy (or any other policy with a ec2:Describe* action in it, to allow for instances to be listed from Ansible.

Of course, the other answers on setting the elasticcache and rds config flags to false were also required, failing which I obtained the following responses instead: ERROR: "Forbidden", while: getting RDS instances or ERROR: "Forbidden", while: getting ElastiCache clusters.

Vineet Reynolds
  • 216
  • 1
  • 6
0

You can omit this, creating the file ec2.ini with:

[ec2]
elasticache = False

and running with: EC2_INI_PATH=ec2.ini ./ec2.py --list

Based on: https://aws.amazon.com/blogs/apn/getting-started-with-ansible-and-dynamic-amazon-ec2-inventory-management/

Jorge Arias
  • 1
0

Just resolved this exact problem. In my case Ansible AIM user was created with full Admin permissions inside single AWS zone. I picked previously unused zone for this experiment:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "us-east-2"
                }
            }
        }
    ]
}

In adition to disabling RDS and elasticache (like described in the other answers here) I also limited ec2.ini to single zone:

regions = us-east-2

This was last piece of the "access forbidden" puzzle.

Andy Malakov
  • 101