amazon.aws
amazon.aws copied to clipboard
Published
20 hours ago •
ansible-collections
ansible-collections
aws_secret lookup does not accept ARN
Summary
When using the aws_secret lookup plugin, it seems it only accepts a secret name, but not a full ARN, resulting in a failure to read cross account secrets.
Issue Type
Bug Report
Component Name
aws_secret
Ansible Version
$ ansible --version
ansible [core 2.14.1]
config file = None
configured module search path = ['/Users/reskin011/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/ansible
ansible collection location = /Users/reskin011/.ansible/collections:/usr/share/ansible/collections
executable location = /Library/Frameworks/Python.framework/Versions/3.11/bin/ansible
python version = 3.11.0 (v3.11.0:deaf509e8f, Oct 24 2022, 14:43:23) [Clang 13.0.0 (clang-1300.0.29.30)] (/Library/Frameworks/Python.framework/Versions/3.11/bin/python3)
jinja version = 3.1.2
libyaml = False
Collection Versions
$ ansible-galaxy collection list
community.aws 5.0.0
AWS SDK versions
$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: [email protected]
License: MIT
Location: /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages
Requires:
Required-by:
---
Name: boto3
Version: 1.26.47
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: aws-sam-cli, aws-sam-translator, serverlessrepo
---
Name: botocore
Version: 1.29.47
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer
Configuration
"{{ lookup( 'aws_secret', 'arn:aws:secretsmanager:us-east-1:{{ aws_account_id }}:secret:my-super-secret-password', region=secrets_region) }}"
OS / Environment
Amazon Linux 2 and MacOS
Steps to Reproduce
- Create a secret in an AWS account
- provide a role and policy to allow access to that secret in account 2
- use the playbook against a host with the proper role in account 2 with the below lookup call, replacing
my-super-secret-passwordwith the alias/name of your secret in the initial account
"{{ lookup( 'aws_secret', 'arn:aws:secretsmanager:us-east-1:{{ aws_account_id }}:secret:my-super-secret-password', region=secrets_region) }}"
Expected Results
I expect the secret to be read and value rendered, instead a permission denied replies.
To ensure the instance can read the secret, running aws secretesmanager get-secret-value --secret-id FULLARN works without issue from the instance in question.
Actual Results
fatal: [REDACTED]: FAILED! => {
"msg": "An unhandled exception occurred while running the lookup plugin 'aws_secret'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Failed to access secret arn:aws:secretsmanager:us-east-1:REDACTED:secret:my-super-secret-password (AccessDenied). Failed to access secret arn:aws:secretsmanager:us-east-1:REDACTED:secret:my-super-secret-password (AccessDenied)"
}
But logging into this instance and using the aws CLI:
aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:REDACTED:secret:my-super-secret-password --region us-east-1
{
"Name": "my-super-secret-password",
"VersionId": "9FBB258E-7D9F-4C88-8FD9-8EDFC24B9E2B",
"SecretString": "REDACTED",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": 1690903868.277,
"ARN": "arn:aws:secretsmanager:us-east-1:REDACTED:secret:my-super-secret-password-dXJZy5"
}
Code of Conduct
- [X] I agree to follow the Ansible Code of Conduct
