I'm trying to use Ansible's ./ec2.py --list --refresh-cache
to list my AWS EC2 instances.
Via documentation, I've run through this checklist:
- AWS (docs via Amazon's Controlling Access to Amazon EC2 Resources & Error Codes)
- Create an IAM User and corresponding IAM Group
- Associated that User with that Group
- Added a very open policy to the IAM Group*
- CLI (docs via Ansible's Dynamic Inventory)
- Install
pip
andboto
- Create a
~/.boto
file includingaws_access_key_id
andaws_secret_access_key
which I received from the AWS IAM User's Access Credentials - Installed
ec2.py
andec2.ini
to the same path and left both files untouched - Run
./ec2.py --list --refresh-cache
- Install
*My policy:
{
"Statement": [
{
"Sid": "Stmt1427001800780",
"Action": "*",
"Effect": "Allow",
"Resource": "*"
}
]
}
I did that and expected to be able to list the EC2 instances via ec2.py
which essentially routes through boto
, but actually saw Error connecting to AWS backend. You are not authorized to perform this operation
. I am however able to ssh
directly into my EC2 instance via ssh ubuntu@[ip]
.
I'm really banging my head against the wall here. What am I doing wrong?
EDIT: adding some new information as per @EEAA's suggestion
When I use pprint.pprint(e)
on Amazon's response:
EC2ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>b985d559-c410-4462-8b10-e0819fd81f12</RequestID></Response>
My ~/.boto
is configured like so:
[Credentials]
aws_access_key_id = removed
aws_secret_access_key = removed