kms_key_info - improve AccessDeniedException handing (#1332)

kms_key_info - improve AccessDeniedException handing SUMMARY fixes: #206 Because KMS doesn't support server-side filtering of keys we have to pull full metadata for all KMS keys unless querying a specific key. This can result in additional permission denied errors, even though we may have permissions to read many of the keys. Try to handle AccessDeniedException more liberally. ISSUE TYPE Bugfix Pull Request COMPONENT NAME kms_key_info ADDITIONAL INFORMATION Reviewed-by: Joseph Torcasso <None>
ansible-collections · Jul 9, 2022 · 5e1466e · 5e1466e
1 parent ed4165d
commit 5e1466e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/changelogs/fragments/206-kms_key_info.yml b/changelogs/fragments/206-kms_key_info.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- kms_key_info - handle access denied errors more liberally (https://github.com/ansible-collections/community.aws/issues/206).
diff --git a/plugins/modules/kms_key_info.py b/plugins/modules/kms_key_info.py
@@ -435,13 +435,19 @@ def get_key_details(connection, module, key_id, tokens=None):
         key_id = result['Arn']
     except is_boto3_error_code('NotFoundException'):
         return None
+    except is_boto3_error_code('AccessDeniedException'):  # pylint: disable=duplicate-except
+        module.warn('Permission denied fetching key metadata ({0})'.format(key_id))
+        return None
     except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:  # pylint: disable=duplicate-except
         module.fail_json_aws(e, msg="Failed to obtain key metadata")
     result['KeyArn'] = result.pop('Arn')
 
     try:
         aliases = get_kms_aliases_lookup(connection)
-    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
+    except is_boto3_error_code('AccessDeniedException'):
+        module.warn('Permission denied fetching key aliases')
+        aliases = {}
+    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:  # pylint: disable=duplicate-except
         module.fail_json_aws(e, msg="Failed to obtain aliases")
     # We can only get aliases for our own account, so we don't need the full ARN
     result['aliases'] = aliases.get(result['KeyId'], [])
@@ -452,8 +458,12 @@ def get_key_details(connection, module, key_id, tokens=None):
 
     try:
         result['grants'] = get_kms_grants_with_backoff(connection, key_id, tokens=tokens)['Grants']
-    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
+    except is_boto3_error_code('AccessDeniedException'):
+        module.warn('Permission denied fetching key grants ({0})'.format(key_id))
+        result['grants'] = []
+    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:  # pylint: disable=duplicate-except
         module.fail_json_aws(e, msg="Failed to obtain key grants")
+
     tags = get_kms_tags(connection, module, key_id)
 
     result = camel_dict_to_snake_dict(result)

diff --git a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml
@@ -82,6 +82,10 @@
         that:
           - key.changed
 
+    # Roles can take a little while to get ready, pause briefly to give it chance
+    - wait_for:
+        timeout: 20
+
     - name: Add grant
       aws_kms:
         alias: '{{ kms_key_alias }}'