我有一个新的 Ansible AWX 服务器正在运行,我想做的一件事是创建 AWS 实例的 AMI,然后再安装实例的定期更新。
我的剧本在安装更新方面运行良好,但我无法让 AWX UI 通过模板正确传递 AWS 凭证。
我正在运行一个仅创建 AMI 的测试模板,并且我始终失败并显示有关未找到凭据的消息。
AWX 有一个凭证部分。我添加了具有执行此操作权限的 IAM 用户的访问密钥和秘密密钥。尽管将该凭据添加到作业模板,但这是我得到的输出:
{
"_ansible_parsed": true,
"exception": "Traceback (most recent call last):\n File \"/tmp/ansible_fj8G6M/ansible_module_ec2_ami.py\", line 433, in create_image\n image_id = connection.create_image(**params).get('ImageId')\n File \"/usr/lib/python2.7/site-packages/botocore/client.py\", line 320, in _api_call\n return self._make_api_call(operation_name, kwargs)\n File \"/usr/lib/python2.7/site-packages/botocore/client.py\", line 610, in _make_api_call\n operation_model, request_dict)\n File \"/usr/lib/python2.7/site-packages/botocore/endpoint.py\", line 102, in make_request\n return self._send_request(request_dict, operation_model)\n File \"/usr/lib/python2.7/site-packages/botocore/endpoint.py\", line 132, in _send_request\n request = self.create_request(request_dict, operation_model)\n File \"/usr/lib/python2.7/site-packages/botocore/endpoint.py\", line 116, in create_request\n operation_name=operation_model.name)\n File \"/usr/lib/python2.7/site-packages/botocore/hooks.py\", line 356, in emit\n return self._emitter.emit(aliased_event_name, **kwargs)\n File \"/usr/lib/python2.7/site-packages/botocore/hooks.py\", line 228, in emit\n return self._emit(event_name, kwargs)\n File \"/usr/lib/python2.7/site-packages/botocore/hooks.py\", line 211, in _emit\n response = handler(**kwargs)\n File \"/usr/lib/python2.7/site-packages/botocore/signers.py\", line 90, in handler\n return self.sign(operation_name, request)\n File \"/usr/lib/python2.7/site-packages/botocore/signers.py\", line 157, in sign\n auth.add_auth(request)\n File \"/usr/lib/python2.7/site-packages/botocore/auth.py\", line 356, in add_auth\n raise NoCredentialsError\nNoCredentialsError: Unable to locate credentials\n",
"_ansible_no_log": false,
"botocore_version": "1.12.16",
"changed": false,
"invocation": {
"module_args": {
"enhanced_networking": null,
"purge_tags": false,
"launch_permissions": null,
"ramdisk_id": null,
"no_reboot": false,
"ec2_url": null,
"aws_secret_key": null,
"billing_products": null,
"state": "present",
"virtualization_type": "hvm",
"sriov_net_support": null,
"architecture": "x86_64",
"profile": null,
"image_location": null,
"description": "",
"tags": {
"Name": "i-sdfsdf987987"
},
"kernel_id": null,
"image_id": null,
"wait_timeout": 900,
"wait": false,
"aws_access_key": null,
"name": "i-sdfsdf987987",
"security_token": null,
"delete_snapshot": false,
"region": "eu-west-2",
"instance_id": "i-sdfsdf987987",
"root_device_name": null,
"validate_certs": true,
"device_mapping": null
}
},
"msg": "Error registering image: Unable to locate credentials",
"boto3_version": "1.9.16"
这是我的剧本:
---
- hosts: all
remote_user: "{{ remote_user }}"
become: yes
tasks:
- name: create an ami
ec2_ami:
instance_id: "{{ instance_id }}"
name: "{{ instance_id }}"
region: "{{ aws_region }}"
tags:
Name: "{{ instance_id }}"
如果我在 AWX UI 中手动将凭据添加为主机上的变量,则添加以下行:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
那么一切都很好。但这似乎忽略了使用 AWX 的凭证存储支持的明显优势。
环境细节:
- 可靠的 2.6.4
- awx 版本 1.0.7.2
- Ubuntu 18.04.1
谁能看到我做错了什么?
好的,所以最后我改为在每台机器上配置 AWS 凭证并以这种方式完成。似乎应该可以按照我最初尝试的方式来做,但我需要这个工作。
在目标机器上,确保
awscli tools
已安装,然后运行aws configure
以添加凭据、默认区域以及是否喜欢默认输出选项。您还需要确保
pip
和已安装。boto
botocore
然后我通过这样的剧本更新:
如您所见,我删除
region
了每台机器上指定的内容,并调整了我命名 AMI 的方式。我也删除become
了,因为 AWS 配置不是在 root 用户下完成的,所以这也会导致失败。