aws get-caller-identity behaving differently via ansible

Question

I have an ansible playbook which runs following task from a jenkins job

- name: printing get caller
  shell: "aws sts get-caller-identity"
  register: var_caller

- debug:
    msg: "{{var_caller.stdout}}"

And returns the following output

ok: [local-server] => {
    "msg": {
        "Account": "8693XXXXXX",
        "Arn": "arn:aws:iam::8693XXXXXX:user/user-A",
        "UserId": "AIDAJEXXXXXXXXXX"
    }
}

And when i run the same command manually from command line, it gives assumed-role output and account-id is also different

[root@local-server] aws sts get-caller-identity
{
    "UserId": "AROAZXXXXXXXX:i-01143d8XXXXXXX",
    "Account": "653XXXXXXX",
    "Arn": "arn:aws:sts::653XXXXXXX:assumed-role/role-A/i-01143d8XXXXXXX"
}

Isn't it supposed to return the same thing? What could be the misconfiguration here?

NOTE : I'm not using any kind of aws credentials, the ec2 local-server has IAM Role assigned role-A.

score 1 · Answer 1 · answered Oct 28 '22 at 09:21

On ansible [core 2.13.3] the output is the same:

TASK [debug] *********************************************************************
ok: [localhost] => {
    "msg": [
        "{",
        "    \"UserId\": \"AIDXXXXXXXXXXXXXXXXX\",",
        "    \"Account\": \"1234567891011\",",
        "    \"Arn\": \"arn:aws:iam::1234567891011:user/username\"",
        "}"
    ]
}

aws sts get-caller-identity                                                                                                         
{
    "UserId": "AIDXXXXXXXXXXXXXXXXX",
    "Account": "1234567891011",
    "Arn": "arn:aws:iam::1234567891011:user/username"
}

Please avoid using shell commands in Ansible.
Always use modules when possible.
For your case there is the aws_caller_info_module

- hosts: localhost
  gather_facts: no
  tasks:
  - name: Get the current caller identity information
    amazon.aws.aws_caller_info:
    register: var_caller

  - debug:
      msg: "{{ var_caller }}"

TASK [debug] *********************************************************************
ok: [localhost] => {
    "msg": {
        "account": "1234567891011",
        "account_alias": "account-alias",
        "arn": "arn:aws:iam::1234567891011:user/username",
        "changed": false,
        "failed": false,
        "user_id": "AIDXXXXXXXXXXXXXXXXX"
    }
}

You can then get the single values like this:

- debug:
      msg: "{{ var_caller.user_id }}"

aws get-caller-identity behaving differently via ansible

1 Answers1