credentials problem when running ansible-pull from cron

[Nicolas G]

Hi All,

This is a simple playbook I have to test the S3 module which is working fine but I'm having problems when I run the same in pull mode from cron:

# s3example.yml

---

- hosts: localhost

  connection: local

  user: root

  tasks:

    - name: download file from s3

      s3: bucket=my-bucket object=packages/my-package.tar.gz dest=/my-package.tar.gz mode=get

      

  

# Ansible push works OK , the files get's downloaded from S3

ansible-playbook zabbix-agent.yml

# manually running the same playbook in pull mode also works OK

ansible-pull -U g...@github.com:my-company/myRepo.git -d /tmp/testing -o --checkout=test s3example.yml

# The problem is when using ansible-pull from cron

# /etc/cron.d/ansible-pull :

*/5 * * * * root source /opt/ansible/hacking/env-setup  >& /dev/null; ansible-pull -U g...@github.com:my-company/myRepo.git -d /tmp/testing -o --checkout=test s3example.yml >>/var/log/test-ansible-pull.log 2>&1

# this is what I see in /var/log/test-ansible-pull.log

TASK: [ download file from s3] **************************************

failed: [localhost] => {"failed": true}

msg: No handler was ready to authenticate. 1 handlers were checked. ['HmacAuthV1Handler'] Check your credentials

FATAL: all hosts have already failed -- aborting

This is happening in ansible 1.5 (devel 44ca015d87) last updated 2013/11/29 11:20:12 (GMT +000) .

I have  AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY defined in my ~/.bashrc .

Any clue ? 

Thanks in advance,

Nicolas.

[Krzysztof Warzecha]

~/.bashrc will not be sourced from cron task. .bashrc is sourced only
when bash is started as interactive shell (see man bash), but cron
tasks are started with sh -c (not bash nor interactive).

You can source your .bashrc manually or you can setup your
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY:

*/5 * * * * ...; AWS_ACCESS_KEY_ID=id AWS_SECRET_ACCESS_KEY=secret
ansible-pull ...

or:

*/5 * * * * ...; source /path/to/your/.bashrc; ansible-pull ...

2013/11/29 Nicolas G <nico...@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Krzysztof Warzecha

[Nicolas G.]

Thanks for the reply Krzysztof.

The problem is I'm using this approach on new Amazon EC2 instances and the only thing I have baked in the AMI along with Ansible installation and the ansible-pull cron is the ssh git in order to access the git server.

Therefore the AWS credentials are been checkout from git after the cronjob starts so I can't know or specify them before the cronjob. As a temporary solution I have the AWS credentials in every S3 task as an argument but still I don't think this is the best way to do it..

--
Krzysztof Warzecha

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/RcPVlWRRbUQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

[James Tanner]

There are a couple ways to provide credentials to the ec2 modules / boto ... https://gist.github.com/jctanner/7467100#credentials

1) IAM roles
2) boto config files
3) create vars via the password lookup http://www.ansibleworks.com/docs/playbooks_lookups.html#the-password-lookup