15

So I am trying to run ansible on my ec2 instances on aws, for the first time on a fresh instance, but every time I try to run a play I can't get around this error message:

PLAY [localhost]
**************************************************************

TASK: [make one instance]
***************************************************** 
failed: [localhost] => {"failed": true} msg: No handler was ready to
authenticate. 1 handlers were checked. ['HmacAuthV4Handler'] Check
your credentials

FATAL: all hosts have already failed -- aborting

PLAY RECAP
********************************************************************
   to retry, use: --limit @/home/ubuntu/ans_test.retry

localhost                  : ok=0    changed=0    unreachable=0   
failed=1

I think there may be something wrong with the permissions in my IAM user and group. I have given my IAM user and group ReadOnlyAccess, AdministratorAccess and PowerUserAccess. I have an access id and secret access key that I am setting as environmental variable with the commands:

   export AWS_ACCESS_KEY_ID='AK123'
   export AWS_SECRET_ACCESS_KEY='abc123'

With 'AK123'and 'abc123' replaced with my actual id and key values. What else do I need to do in order to get the ansible ec2 task working?

UPDATE:
I fixed the problem, I guess I didn't really have a solid understanding of what environmental variables are. I fixed it by just setting my aws_access_key and aws_secret_key inside of my ec2 task, below is my working playbook

- hosts: localhost  
  connection: local  
  gather_facts: False  

  tasks:  
    #this task creates 5 ec2 instances that are all named demo and are copies of the image specified  
    - name: Provision a set of instances  
      ec2:  
         aws_access_key: .....  
         aws_secret_key: ....  
         key_name: .....  
         group: .....  
         instance_type: t2.micro  
         image: ......  
         region: us-east-1  
         ec2_url: .......  
         wait: true  
         exact_count: 5  
         count_tag:  
            Name: Demo  
         instance_tags:  
            Name: Demo  
      register: ec2

I guess now I need to start using ansible vault to just hold my key and ID.

Alex Cohen
  • 5,596
  • 16
  • 54
  • 104
  • Can you include the playbook in your question? – jonatan Mar 02 '16 at 19:47
  • I think Ansible will not keep the enviromental variables during the whole play. Have you tried to set the variables in the command, like `command: " export AWS_ACCESS_KEY_ID='AK123' && export AWS_SECRET_ACCESS_KEY='abc123' && actual command"`? – Henrik Pingel Mar 03 '16 at 14:49

5 Answers5

12

For those hitting this problem, you can solve it by making setting the become/sudo: False and connection: local in the playbook.

---
- hosts: localhost
  connection: local
  become: False
  tasks:
   ...
   ...

Hope this will help others.

Arbab Nazar
  • 22,378
  • 10
  • 76
  • 82
4

I fixed the problem, I guess I didn't really have a solid understanding of what environmental variables are. I fixed it by just setting my aws_access_key and aws_secret_key inside of my ec2 task, below is my working playbook

- hosts: localhost  
  connection: local  
  gather_facts: False  

  tasks:  
    #this task creates 5 ec2 instances that are all named demo and are copies of the image specified  
    - name: Provision a set of instances  
      ec2:  
         aws_access_key: .....  
         aws_secret_key: ....  
         key_name: .....  
         group: .....  
         instance_type: t2.micro  
         image: ......  
         region: us-east-1  
         ec2_url: .......  
         wait: true  
         exact_count: 5  
         count_tag:  
            Name: Demo  
         instance_tags:  
            Name: Demo  
      register: ec2

I guess now I need to start using ansible vault to just hold my key and ID.

Alex Cohen
  • 5,596
  • 16
  • 54
  • 104
3

In my case the variables must have been in quotes (single or double it does not matter).

BAD:

export AWS_ACCESS_KEY_ID=AK123
export AWS_SECRET_ACCESS_KEY=abc123

GOOD:

export AWS_ACCESS_KEY_ID='AK123'
export AWS_SECRET_ACCESS_KEY='abc123'

GOOD:

export AWS_ACCESS_KEY_ID="AK123"
export AWS_SECRET_ACCESS_KEY="abc123"
Andrzej Rehmann
  • 12,360
  • 7
  • 39
  • 38
  • 1
    It matters a lot of you have special chars in the var. Single quotes for example wont expand $ or !, where as doubles will. This will cause auth failures if you use doubles with these characters – krad Oct 13 '17 at 13:24
0

It's worth mentioning that the ec2 module makes use of the package boto, while there is a newer module ec2_instance, which uses boto3.

Apparently there are differences in how these two packages/versions detect credentials or their environment. I have not found a solution to make the ec2 module work inside an ECS container, most probably because ECS did not exist when the last version of boto was released and therefore it doesn't have the capabilities to detect the "instance profile" of the ECS container. With ec2_instance this works out of the box without any additional configuration required.

udondan
  • 57,263
  • 20
  • 190
  • 175
0

This is how a sample .boto file should look like, anything else will give issues and lead to errors

[Credentials]

#aws_access_key_id =

#aws_secret_access_key =

SAMUEL OPOKU-ACHEAMPONG
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Feb 24 '23 at 01:03