Ansible AWS dynamic inventory: `./ec2.py --list` unauthorized

amazon-web-services ansible amazon-ec2 amazon-iam

I'm trying to use Ansible's ./ec2.py --list --refresh-cache to list my AWS EC2 instances.

Via documentation, I've run through this checklist:

  • AWS (docs via Amazon's Controlling Access to Amazon EC2 Resources & Error Codes)
    • Create an IAM User and corresponding IAM Group
    • Associated that User with that Group
    • Added a very open policy to the IAM Group*
  • CLI (docs via Ansible's Dynamic Inventory)
    • Install pip and boto
    • Create a ~/.boto file including aws_access_key_id and aws_secret_access_key which I received from the AWS IAM User's Access Credentials
    • Installed ec2.py and ec2.ini to the same path and left both files untouched
    • Run ./ec2.py --list --refresh-cache

*My policy:

{
  "Statement": [
    {
      "Sid": "Stmt1427001800780",
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

I did that and expected to be able to list the EC2 instances via ec2.py which essentially routes through boto, but actually saw Error connecting to AWS backend. You are not authorized to perform this operation. I am however able to ssh directly into my EC2 instance via ssh ubuntu@[ip].

I'm really banging my head against the wall here. What am I doing wrong?

EDIT: adding some new information as per @EEAA's suggestion

When I use pprint.pprint(e) on Amazon's response:

EC2ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>b985d559-c410-4462-8b10-e0819fd81f12</RequestID></Response>

My ~/.boto is configured like so: 

[Credentials]
aws_access_key_id = removed
aws_secret_access_key = removed

Solution 1:

I was getting 'Forbidden' as the response to './ec2.py --list'. It looks like a bug when not using RDS and a query request to describe RDS resources is made (as is the default with this plugin). Just disable the request in ec2.ini like this:

    rds = False

Solution 2:

If not using ElasticCache you have to set that to False as well. So uncomment

elasticache = False

Related

How do I find out if a uid exists?
vSphere Datastore for specific datatypes: NFS or iSCSI
Why sometimes AWS EC2 works really slow?
Which VM needs more resources?
Lightweight transparent compression filesystem?
Allow all rule for one interface using firewalld
How to decipher Powershell syntax for text formatting?
Can I mount a block device both over iSCSI and locally?
How to make it work Certificate pinning (HPKP) and self signed certificate in a local network?
getSignedUrl giving "SigningError: Failure from metadata server"
Curl through intermediate server
What availability is needed for an E-Mail server to not lose messages?