added account_alias in the response of module aws_caller_facts (#42345)

* added account_alias in the response of module aws_caller_facts

* added comment to explain list_account_aliases

* renamed caller_identity to caller_facts as the content is extended

* created changelog

* security-policy needs the iam:ListAccountAliases for this module to work

* test now checks for the added field account_alias

* gracefully handle missing iam:ListAccountAliases permission

changelogs/fragments/aws_caller_facts_add_account_alias.yaml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - aws_caller_facts - The module now outputs the "account_alias" as well

hacking/aws_config/testing_policies/security-policy.json

@@ -12,7 +12,8 @@
                 "iam:ListPolicies",
                 "iam:ListRoles",
                 "iam:ListRolePolicies",
-                "iam:ListUsers"
+                "iam:ListUsers",
+                "iam:ListAccountAliases"
             ],
             "Resource": "*",
             "Effect": "Allow",

lib/ansible/modules/cloud/amazon/aws_caller_facts.py

@@ -17,7 +17,9 @@ description:
     - The primary use of this is to get the account id for templating into ARNs or similar to avoid needing to specify this information in inventory.
 version_added: "2.6"
 
-author: Ed Costello    (@orthanc)
+author:
+    - Ed Costello (@orthanc)
+    - Stijn Dubrul (@sdubrul)
 
 requirements: [ 'botocore', 'boto3' ]
 extends_documentation_fragment:
@@ -39,6 +41,11 @@ account:
     returned: success
     type: string
     sample: "123456789012"
+account_alias:
+    description: The account alias the access credentials are associated with.
+    returned: when caller has the iam:ListAccountAliases permission
+    type: string
+    sample: "acme-production"
 arn:
     description: The arn identifying the user the credentials are associated with.
     returned: success
@@ -71,15 +78,31 @@ def main():
     client = module.client('sts')
 
     try:
-        caller_identity = client.get_caller_identity()
-        caller_identity.pop('ResponseMetadata', None)
-        module.exit_json(
-            changed=False,
-            **camel_dict_to_snake_dict(caller_identity)
-        )
+        caller_facts = client.get_caller_identity()
+        caller_facts.pop('ResponseMetadata', None)
     except (BotoCoreError, ClientError) as e:
         module.fail_json_aws(e, msg='Failed to retrieve caller identity')
 
+    iam_client = module.client('iam')
+
+    try:
+        # Although a list is returned by list_account_aliases AWS supports maximum one alias per account.
+        # If an alias is defined it will be returned otherwise a blank string is filled in as account_alias.
+        # see https://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html#output
+        response = iam_client.list_account_aliases()
+        if response and response['AccountAliases']:
+            caller_facts['account_alias'] = response['AccountAliases'][0]
+        else:
+            caller_facts['account_alias'] = ''
+    except (BotoCoreError, ClientError) as e:
+        # The iam:ListAccountAliases permission is required for this operation to succeed.
+        # Lacking this permission is handled gracefully by not returning the account_alias.
+        pass
+
+    module.exit_json(
+        changed=False,
+        **camel_dict_to_snake_dict(caller_facts))
+
 
 if __name__ == '__main__':
     main()

test/integration/targets/aws_caller_facts/tasks/main.yaml

@@ -3,7 +3,7 @@
     region: "{{ aws_region }}"
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
-    security_token: "{{security_token}}"
+    security_token: "{{ security_token }}"
   register: result
 
 - name: assert correct keys are returned
@@ -12,3 +12,4 @@
       - result.account is not none
       - result.arn is not none
       - result.user_id is not none
+      - result.account_alias is not none