aws_ec2 inventory plugin does not assume role before trying to find default regions

[jw-maynard]

Summary

In _boto3_conn the code that tries to get the default regions if the regions configuration is not set does not use the iam_role_arn configuration parameter to assume the role before trying to call DescribeRegions. While this isn't a problem per say as the regions are the same no matter what role you're assuming, it could causes confusion if the role specified in iam_role_arn has the ec2:DescribeRegions IAM permission but the role that ansible-inventory is running as does not.

Issue Type

Bug Report

Component Name

awx_ec2 inventory plugin

Ansible Version

$ ansible --version
core 2.11.6.post0

Collection Versions

$ ansible-galaxy collection list

Not sure, running this in AWX

AWS SDK versions

$ pip show boto boto3 botocore

Not sure, running this in AWX

Configuration

$ ansible-config dump --only-changed

OS / Environment

Not sure, running this in AWX

Steps to Reproduce

1. Create a IAM principal that does not have permission to call ec2:DescribeRegions.
2. Create a role that does have ec2:DescribeRegions as well as the other IAM permissions required by the inventory plugin.
3. Grant the principal created in 1 the ability to assume the role created in 2.
4. Create an inventory configuration with iam_role_arn set to the role created in 2.
5. Try to collect the inventory.

Expected Results

I expect that the plugin should used the role configured in iam_role_arn for all AWS api calls it needs to make other than the obvious STS calls needed to assume that role.

Actual Results

[WARNING]:  * Failed to parse /runner/inventory/aws_ec2.yml with auto plugin:
An error occurred (UnauthorizedOperation) when calling the DescribeRegions
operation: You are not authorized to perform this operation.
  File "/usr/local/lib/python3.8/site-packages/ansible/inventory/manager.py", line 290, in parse_source
    plugin.parse(self._inventory, self._loader, source, cache=cache)
  File "/usr/local/lib/python3.8/site-packages/ansible/plugins/inventory/auto.py", line 58, in parse
    plugin.parse(inventory, loader, path, cache=cache)
  File "/usr/share/ansible/collections/ansible_collections/amazon/aws/plugins/inventory/aws_ec2.py", line 758, in parse
    results = self._query(regions, include_filters, exclude_filters, strict_permissions)
  File "/usr/share/ansible/collections/ansible_collections/amazon/aws/plugins/inventory/aws_ec2.py", line 610, in _query
    for i in self._get_instances_by_region(
  File "/usr/share/ansible/collections/ansible_collections/amazon/aws/plugins/inventory/aws_ec2.py", line 487, in _get_instances_by_region
    for connection, region in self._boto3_conn(regions):
  File "/usr/share/ansible/collections/ansible_collections/amazon/aws/plugins/inventory/aws_ec2.py", line 445, in _boto3_conn
    resp = client.describe_regions()
  File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 391, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 719, in _make_api_call
    raise error_class(parsed_response, operation_name)
[WARNING]: Unable to parse /runner/inventory/aws_ec2.yml as an inventory source
ERROR! No inventory was parsed, please check your configuration and options.

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[abikouo]

Hi @jw-maynard
Could you please test using pull request #624 and let me know if it is solving your issue?
Regards
Aubin

[jw-maynard]

Hey @abikouo I'm not really familiar with how I could use the plugin from the PR on our AWX instance where we run our Ansilbe usually. I'll see what I can do. Looking at the code it seems like it should solve the issue.