Ansible AWS dynamic inventory: `./ec2.py --list` unauthorized
I'm trying to use Ansible's ./ec2.py --list --refresh-cache
to list my AWS EC2 instances.
Via documentation, I've run through this checklist:
-
AWS (docs via Amazon's Controlling Access to Amazon EC2 Resources & Error Codes)
- Create an IAM User and corresponding IAM Group
- Associated that User with that Group
- Added a very open policy to the IAM Group*
-
CLI (docs via Ansible's Dynamic Inventory)
- Install
pip
andboto
- Create a
~/.boto
file includingaws_access_key_id
andaws_secret_access_key
which I received from the AWS IAM User's Access Credentials - Installed
ec2.py
andec2.ini
to the same path and left both files untouched - Run
./ec2.py --list --refresh-cache
- Install
*My policy:
{
"Statement": [
{
"Sid": "Stmt1427001800780",
"Action": "*",
"Effect": "Allow",
"Resource": "*"
}
]
}
I did that and expected to be able to list the EC2 instances via ec2.py
which essentially routes through boto
, but actually saw Error connecting to AWS backend. You are not authorized to perform this operation
. I am however able to ssh
directly into my EC2 instance via ssh ubuntu@[ip]
.
I'm really banging my head against the wall here. What am I doing wrong?
EDIT: adding some new information as per @EEAA's suggestion
When I use pprint.pprint(e)
on Amazon's response:
EC2ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>b985d559-c410-4462-8b10-e0819fd81f12</RequestID></Response>
My ~/.boto
is configured like so:
[Credentials]
aws_access_key_id = removed
aws_secret_access_key = removed
Solution 1:
I was getting 'Forbidden' as the response to './ec2.py --list'. It looks like a bug when not using RDS and a query request to describe RDS resources is made (as is the default with this plugin). Just disable the request in ec2.ini like this:
rds = False
Solution 2:
If not using ElasticCache you have to set that to False as well. So uncomment
elasticache = False