Info: ec2_lb with access_key/secret_key specified but could not perform elasticloadbalancing:DescribeLoadBalancers

[Steven Truong]

Hi all,

I have a play book that just simply go and add instances to my ELB but apparently the user's keys specified were not authorized to do the "DescribeLoadBalancers".  This user has a policy attached to it that allows to have full access to this ELB.

Task:

  

 - name: Instance re-register

    local_action: ec2_elb ec2_elbs=steventest region=us-east-1 instance_id="{{ ansible_ec2_instance_id }}" state=present wait=yes wait_timeout=5 aws_access_key=A..... aws_secret_key=....sc enable_availability_zone=no

I got this error message.

  <Message>User: arn:aws:iam::123456789:user/elb_dedicated is not authorized to perform: elasticloadbalancing:DescribeLoadBalancers</Message>

From AWS doc http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/UsingIAM.html

Elastic Load Balancing does not support setting permissions for a user or a group to use the following APIs with a specific load balancer:

• DescribeInstanceHealth

• DescribeLoadBalancerAttributes

• DescribeLoadBalancerPolicyTypes

• DescribeLoadBalancers

• DescribeLoadBalancerPolicies

• DescribeTags

You can continue to use the Describe APIs in the Action element of the policy statement to grant access to all ELB load balancers. However, if you use the Describe APIs in the Action element and also specify a load balancer ARN in the Resource element, the API call will fail.

So ec2_elb will work when i do not specify the specific ELB in the resource.  This is the way AWS implemented access controls for ELBs and Ansible is not at fault here.

Policy attached to AWS user elb_dedicated and currently, I allowed all actions for this account to this steventest ELB.

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "steventestelb",

            "Effect": "Allow",

            "Action": [

                "elasticloadbalancing:*"

            ],

            "Resource": [

                "arn:aws:elasticloadbalancing:us-east-1:123456789:loadbalancer/steventest"

            ]

        }

    ]

}

So I removed all "Resource" and the final policy is this:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "steventestelb",

      "Effect": "Allow",

      "Action": [

        "elasticloadbalancing:*"

      ]

    }

  ]

}

With this policy, I still got the same error.

failed: [ec2-54-80-.....compute-1.amazonaws.com -> 127.0.0.1] => {"failed": true, "parsed": false}

invalid output was: Traceback (most recent call last):

  File "/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb", line 1874, in <module>

    main()

  File "/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb", line 317, in main

    region=region, **aws_connect_params)

  File "/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb", line 123, in __init__

    self.lbs = self._get_instance_lbs(ec2_elbs)

  File "/home/steven/.ansible/tmp/ansible-tmp-1410294577.11-237620736023803/ec2_elb", line 264, in _get_instance_lbs

    elbs = elb.get_all_load_balancers()

  File "/usr/local/lib/python2.7/dist-packages/boto/ec2/elb/__init__.py", line 135, in get_all_load_balancers

    [('member', LoadBalancer)])

  File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 1166, in get_list

    raise self.ResponseError(response.status, response.reason, body)

boto.exception.BotoServerError: BotoServerError: 403 Forbidden

<ErrorResponse xmlns="http://elasticloadbalancing.amazonaws.com/doc/2012-06-01/">

  <Error>

    <Type>Sender</Type>

    <Code>AccessDenied</Code>

    <Message>User: arn:aws:iam::123456789:user/elb_dedicated is not authorized to perform: elasticloadbalancing:DescribeLoadBalancers</Message>

  </Error>

  <RequestId>04bd7b0d-3860-11e4-8ac6-5fafa616e3b3</RequestId>

</ErrorResponse>

---

Please share with me how you've used ec2_elb to work with ELB in AWS.  This should not be a problem for me.

Steven.

Note: I have boto (2.32.1) on a Linux Mint 17.

[Steven Truong]

A new interesting development.  I remove aws_access_key and aws_secret_key from the task ec2_elb and create ~/.boto and tried again.  This type things work.

[Credentials]

aws_access_key_id=...

aws_secret_access_key=...

Hmmm....