Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ansible lookup plugin error #291

Closed
gruebel opened this issue Apr 6, 2020 · 3 comments · Fixed by #293
Closed

Ansible lookup plugin error #291

gruebel opened this issue Apr 6, 2020 · 3 comments · Fixed by #293
Milestone
1.17.1

Comments

@gruebel
Copy link

gruebel commented Apr 6, 2020

After upgrading to the latest credstash Version 0.17.0 on our Ansibel deployment server we get following error:

{
    "changed": false,
    "msg": "AnsibleError: An unhandled exception occurred while templating '{{ lookup('credstash', 'xxx') }}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'credstash'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Encountered exception while fetching xxx: Could not connect to the endpoint URL: \"https://kms.credential-store.amazonaws.com/\""
}

After digging in deeper into the mechanism of the Ansible lookup plugin and how it calls credstash, I found the culprit. With the PR #268 the parameter order of getSecret() was changed and the Ansible plugin uses positional arguments instead of named. So, basically the latest version breaks the usage of positional arguments for everyone. I think it would be a good idea to move the new parameter kms_region to the end of the function call. Same goes for all the other functions probably too. I'm happy to add a PR to fix the problem, but I don't want to waste my time, if you are not willing to apply that change.
@zswanson
Copy link

zswanson commented Apr 6, 2020
edited

I think this is the cause of similar problems we're seeing today where the ansible plugin reverts to using the default credstash table name 'credential-store' which doesn't exist in our environment. (We pass the lookup a variable 'credential_store' with the actual table name)

AnsibleError: An unhandled exception occurred while templating '{{ lookup('credstash', 'XXXXXXX', table=credential_store, region=aws_region) }}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'credstash'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Encountered exception while fetching XXXXXXX: An error occurred (AccessDeniedException) when calling the Query operation: User: XXXXXXXXXX is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:XXXXXXXXXX :table/credential-store

@mike-luminal
Copy link
Contributor

mike-luminal commented Apr 9, 2020
edited

Thanks for the quick feedback and identifying the bug. I will put out a bugfix release this weekend to address this issue.

@mike-luminal mike-luminal added this to the 1.17.1 milestone Apr 9, 2020
@mike-luminal
Copy link
Contributor

Resolved by #293 #293

@mike-luminal mike-luminal linked a pull request Apr 11, 2020 that will close this issue
CS-291 move kms_region to end of named params #293
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.17.1
Development

Successfully merging a pull request may close this issue.

CS-291 move kms_region to end of named params fugue/credstash
3 participants
@zswanson @mike-luminal @gruebel