community.aws.dynamodb_table ignores AWS role

[szpak]

SUMMARY

community.aws.dynamodb_table silently ignores AWS role.

ISSUE TYPE

• Bug Report

COMPONENT NAME

dynamodb_table

ANSIBLE VERSION

ansible 2.9.18
  ...
  python version = 3.9.2 (default, Feb 20 2021, 00:00:00) [GCC 10.2.1 20201125 (Red Hat 10.2.1-9)]

OS / ENVIRONMENT

Fedora 33

STEPS TO REPRODUCE

Having the following playbook:

---
- hosts: localhost
  gather_facts: no
  tasks:
    - name: Get the current caller identity information
      amazon.aws.aws_caller_info:
        region: "{{ aws_region }}"
        profile: "{{ aws_profile }}"

    - name: Create dynamodb table
      community.aws.dynamodb_table:
        name: "test-ansible-table"
        hash_key_name: "LockID"
        hash_key_type: STRING
        region: "{{ aws_region }}"
        profile: "{{ aws_profile }}"

    - name: Create S3 bucket
      amazon.aws.aws_s3:
        bucket: "test-ansible-bucket"
        mode: create
        profile: "{{ aws_profile }}"
        region: "{{ aws_region }}"
  vars:
    - aws_profile: some-role
    - aws_region: eu-central-1

and the following ~/.aws/config:

[default]
region = eu-central-1
output = json

[profile some-role]
role_arn = arn:aws:iam::DIFFERENT_ACCOUNT:role/some-role
source_profile = default

and ~/.aws/credentials (not very elegant):

[default]
aws_access_key_id = MY_KEY_ID
aws_secret_access_key = MY_ACCESS_KEY

[some-role]
aws_access_key_id = MY_KEY_ID
aws_secret_access_key = MY_ACCESS_KEY

amazon.aws.aws_caller_info and amazon.aws.aws_s3 executes in the context of AWS role defined in a profile, while community.aws.dynamodb_table silently ignores it (creating a table in an unexpected place/scope/account). One can even set non existing role to have community.aws.dynamodb_table executed without any problem, while the other tool fails.

I realize that only aws.dynamodb_table is from the community package, but I put it here to ensure my AWS configuration (seems to be) ok. However, the behavior is somehow inconsistent with the documentation where the profile field is mentioned and no limitations about role ARNs are mentioned.

Looking at that PR most suggests that the problem might be caused by the fact that dynamodb_table uses boto which might not support the aforementioned. However, I might be wrong here.

It would be good to have it supported.

ansible 2.9.18, community.aws 1.4.0, amazon.aws 1.4.1, Fedora 33.

EXPECTED RESULTS

Configured role_arn is used for performed operation.

ACTUAL RESULTS

Configured role_arn is ignored and a table is created in the wrong (basic) account.

[ansibullbot]

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[szpak]

!component

[ansibullbot]

Files identified in the description:

• [plugins/modules/dynamodb_table.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/dynamodb_table.py)

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @jillr @loia @s-hertel @tremble @wimnat
click here for bot help

[goneri]

Hi @szpak,

Thank you for reporting this. As you've guessed, the difference of behavior comes from the use of boto2. This module needs to be ported to boto3.

[marknet15]

Probably this is resolved now by #726

[tremble]

@marknet15 Thanks for following up here. Yes, this should be resolved by #726 and will be available with release 2.1.0 of the community.aws collection. As such I'm going to close this issue.

[szpak]

Great, thanks @tremble! I will try to retest it with 2.1.0, but looking at the changes it looks fine.