[s3_object] An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
dhoppe opened this issue · 4 comments
dhoppe commented
Summary
When I try to get a presigned URL for a specific version of an S3 object, the Ansible playbook fails. If I remove the version everything works fine.
Since the following command works fine, I can rule out missing permissions.
aws s3api get-object-tagging --bucket bt-installer --key public/aws-cli/awscli-exe-linux-x86_64.zip
{
“VersionId”: “zpKl8rWJVw.dFnAm9fWzmpI4rDbfkSno”,
“TagSet”: []
}
Since this is an S3 bucket including ACL and Access for other AWS accounts, I suspect that the get_object_tagging
function is missing the ExpectedBucketOwner
parameter.
Issue Type
Bug Report
Component Name
s3_object
Ansible Version
$ ansible --version
ansible [core 2.15.6]
config file = /home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg
configured module search path = ['/home/dennis.hoppe.ext/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /home/dennis.hoppe.ext/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/usr/bin/python3)
jinja version = 3.0.3
libyaml = True
Collection Versions
$ ansible-galaxy collection list
# /usr/share/ansible/collections/ansible_collections
Collection Version
---------------------------------------- -------
amazon.aws 6.5.4
ansible.netcommon 5.3.0
ansible.posix 1.5.4
ansible.utils 3.1.0
ansible.windows 2.3.0
community.aws 6.4.0
community.crypto 2.19.1
community.docker 3.9.0
community.general 8.6.0
community.library_inventory_filtering_v1 1.0.1
community.windows 2.2.0
crowdstrike.falcon 4.4.0
AWS SDK versions
$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /usr/lib/python3/dist-packages
Requires:
Required-by:
---
Name: boto3
Version: 1.34.113
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.10/dist-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.34.113
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.10/dist-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer
Configuration
$ ansible-config dump --only-changed
ANSIBLE_FORCE_COLOR(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = True
CONFIG_FILE() = /home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg
DEFAULT_CALLBACK_PLUGIN_PATH(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/usr/share/ansible/plugins/callback', '/home/dennis.hoppe.ext/bt-cloudops-ansible/plugins/c>
DEFAULT_FILTER_PLUGIN_PATH(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/usr/share/ansible/plugins/filter', '/home/dennis.hoppe.ext/bt-cloudops-ansible/plugins/filte>
DEFAULT_FORKS(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = 50
DEFAULT_HOST_LIST(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/home/dennis.hoppe.ext/bt-cloudops-ansible/aws_ec2.yml']
DEFAULT_LOAD_CALLBACK_PLUGINS(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = True
DEFAULT_ROLES_PATH(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/home/dennis.hoppe.ext/bt-cloudops-ansible/roles']
DEFAULT_STDOUT_CALLBACK(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = community.general.yaml
DEFAULT_TIMEOUT(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = 30
DEFAULT_VARS_PLUGIN_PATH(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['/usr/share/ansible/plugins/vars', '/home/dennis.hoppe.ext/bt-cloudops-ansible/plugins/vars']
DEFAULT_VAULT_PASSWORD_FILE(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = /home/dennis.hoppe.ext/bt-cloudops-ansible/vault_pass.sh
DISPLAY_SKIPPED_HOSTS(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = False
INVENTORY_ENABLED(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = ['amazon.aws.aws_ec2', 'host_list']
WIN_ASYNC_STARTUP_TIMEOUT(/home/dennis.hoppe.ext/bt-cloudops-ansible/ansible.cfg) = 10
OS / Environment
Ubuntu 22.04
Steps to Reproduce
- name: Get presigned URL
amazon.aws.s3_object:
bucket: "{{ role_bt_common_get_packages_s3_bucket }}"
object: "{{ role_bt_common_get_packages_s3_dir }}{{ local_bt_common_get_package_config.dir | default('') }}/{{ local_bt_common_get_package_config.file }}"
version: "{{ local_bt_common_get_package_config.s3_version | default(omit) }}"
region: "{{ role_bt_common_get_packages_s3_region }}"
mode: geturl
delegate_to: localhost
register: result_s3_object
Expected Results
I expect to receive a presigned URL for a specific version of an S3 object.
Actual Results
The full traceback is:
Traceback (most recent call last):
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 107, in <module>
_ansiballz_main()
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 47, in invoke_module
runpy.run_module(mod_name='ansible_collections.amazon.aws.plugins.modules.s3_object', init_globals=dict(_module_fqn='ansible_collections.amazon.aws.plugins.modules.s3_object', _modlib_path=modlib_path),
File "/usr/lib/python3.10/runpy.py", line 224, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib/python3.10/runpy.py", line 96, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1535, in <module>
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1522, in main
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1262, in s3_object_do_geturl
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 952, in get_current_object_tags_dict
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py", line 105, in deciding_wrapper
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 119, in _retry_wrapper
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 68, in _retry_func
File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 565, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 1021, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
fatal: [i-05fbc5cb84deeea26_asg-metadefender-image-ubuntu22-mdtest-202405281455 -> localhost]: FAILED! => changed=false
module_stderr: |-
Traceback (most recent call last):
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 107, in <module>
_ansiballz_main()
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/dennis.hoppe.ext/.ansible/tmp/ansible-tmp-1716908566.518546-1479237-165880899412666/AnsiballZ_s3_object.py", line 47, in invoke_module
runpy.run_module(mod_name='ansible_collections.amazon.aws.plugins.modules.s3_object', init_globals=dict(_module_fqn='ansible_collections.amazon.aws.plugins.modules.s3_object', _modlib_path=modlib_path),
File "/usr/lib/python3.10/runpy.py", line 224, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib/python3.10/runpy.py", line 96, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1535, in <module>
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1522, in main
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 1262, in s3_object_do_geturl
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py", line 952, in get_current_object_tags_dict
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py", line 105, in deciding_wrapper
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 119, in _retry_wrapper
File "/tmp/ansible_amazon.aws.s3_object_payload_d_78h5il/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 68, in _retry_func
File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 565, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.10/dist-packages/botocore/client.py", line 1021, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact error
rc: 1
Code of Conduct
- I agree to follow the Ansible Code of Conduct
yarons commented
I'm also experiencing the same behavior, but even without specifying the version. Is there a way I can contribute to this issue?