Ansible AWS dynamic inventory: `./ec2.py --list` unauthorized
Solution 1
I was getting 'Forbidden' as the response to './ec2.py --list'. It looks like a bug when not using RDS and a query request to describe RDS resources is made (as is the default with this plugin). Just disable the request in ec2.ini like this:
rds = False
Solution 2
If not using ElasticCache you have to set that to False as well. So uncomment
elasticache = False
Related videos on Youtube
Comments
-
Morgan Delaney over 1 year
I'm trying to use Ansible's
./ec2.py --list --refresh-cache
to list my AWS EC2 instances.Via documentation, I've run through this checklist:
-
AWS (docs via Amazon's Controlling Access to Amazon EC2 Resources & Error Codes)
- Create an IAM User and corresponding IAM Group
- Associated that User with that Group
- Added a very open policy to the IAM Group*
-
CLI (docs via Ansible's Dynamic Inventory)
- Install
pip
andboto
- Create a
~/.boto
file includingaws_access_key_id
andaws_secret_access_key
which I received from the AWS IAM User's Access Credentials - Installed
ec2.py
andec2.ini
to the same path and left both files untouched - Run
./ec2.py --list --refresh-cache
- Install
*My policy:
{ "Statement": [ { "Sid": "Stmt1427001800780", "Action": "*", "Effect": "Allow", "Resource": "*" } ] }
I did that and expected to be able to list the EC2 instances via
ec2.py
which essentially routes throughboto
, but actually sawError connecting to AWS backend. You are not authorized to perform this operation
. I am however able tossh
directly into my EC2 instance viassh ubuntu@[ip]
.I'm really banging my head against the wall here. What am I doing wrong?
EDIT: adding some new information as per @EEAA's suggestion
When I use
pprint.pprint(e)
on Amazon's response:EC2ResponseError: 403 Forbidden <?xml version="1.0" encoding="UTF-8"?> <Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>b985d559-c410-4462-8b10-e0819fd81f12</RequestID></Response>
My
~/.boto
is configured like so:[Credentials] aws_access_key_id = removed aws_secret_access_key = removed
-
EEAA about 9 years1) What does AWS Support say? 2) Please post the full output of the command, run in verbose mode if possible. 3) Remove the bits about your ssh keys and being able to ssh into your instances - this has nothing to do with AWS API interactions.
-
tedder42 about 9 yearsshow the full output including errors, and show what your
~/.boto
file looks like. -
Morgan Delaney about 9 years@EEAA @tedder42 Added verbose
ec2.py
and~/.boto
information to answer. @EEAA I came to SO before going to Amazon support, and if it's not a common mistake, I'll go there, thank you for direction.
-
AWS (docs via Amazon's Controlling Access to Amazon EC2 Resources & Error Codes)
-
jonatan over 8 yearsI got the same error as @morgan-delaney and this was the solution
-
pztrick over 7 yearsThis is very dumb behavior. (Yes, it fixed it for me.)