diff --git a/changelogs/fragments/fix-aws-plugin-credential-precedence.yaml b/changelogs/fragments/fix-aws-plugin-credential-precedence.yaml new file mode 100644 index 00000000000..7169ea6bfeb --- /dev/null +++ b/changelogs/fragments/fix-aws-plugin-credential-precedence.yaml @@ -0,0 +1,2 @@ +bugfixes: + - AWS plugins - before 2.8 the environment variable precedence was incorrectly reversed. diff --git a/lib/ansible/config/manager.py b/lib/ansible/config/manager.py index 42432a7fdea..ec3fc8e6014 100644 --- a/lib/ansible/config/manager.py +++ b/lib/ansible/config/manager.py @@ -399,9 +399,15 @@ class ConfigManager(object): if config in defs: # direct setting via plugin arguments, can set to None so we bypass rest of processing/defaults + direct_aliases = [] + if direct: + direct_aliases = [direct[alias] for alias in defs[config].get('aliases', []) if alias in direct] if direct and config in direct: value = direct[config] origin = 'Direct' + elif direct and direct_aliases: + value = direct_aliases[0] + origin = 'Direct' else: # Use 'variable overrides' if present, highest precedence, but only present when querying running play diff --git a/lib/ansible/plugins/doc_fragments/aws_credentials.py b/lib/ansible/plugins/doc_fragments/aws_credentials.py index 53107951950..ef37ca19326 100644 --- a/lib/ansible/plugins/doc_fragments/aws_credentials.py +++ b/lib/ansible/plugins/doc_fragments/aws_credentials.py @@ -6,7 +6,7 @@ class ModuleDocFragment(object): - # inventory cache + # Plugin options for AWS credentials DOCUMENTATION = r''' options: aws_profile: @@ -14,33 +14,29 @@ options: type: str aliases: [ boto_profile ] env: - - name: AWS_PROFILE - name: AWS_DEFAULT_PROFILE + - name: AWS_PROFILE aws_access_key: description: The AWS access key to use. type: str + aliases: [ aws_access_key_id ] env: - - name: AWS_ACCESS_KEY_ID - - name: AWS_ACCESS_KEY - name: EC2_ACCESS_KEY + - name: AWS_ACCESS_KEY + - name: AWS_ACCESS_KEY_ID aws_secret_key: description: The AWS secret key that corresponds to the access key. type: str + aliases: [ aws_secret_access_key ] env: - - name: AWS_SECRET_ACCESS_KEY - - name: AWS_SECRET_KEY - name: EC2_SECRET_KEY + - name: AWS_SECRET_KEY + - name: AWS_SECRET_ACCESS_KEY aws_security_token: description: The AWS security token if using temporary access and secret keys. type: str env: - - name: AWS_SECURITY_TOKEN - - name: AWS_SESSION_TOKEN - name: EC2_SECURITY_TOKEN - region: - description: The region for which to create the connection. - type: str - env: - - name: AWS_REGION - - name: EC2_REGION + - name: AWS_SESSION_TOKEN + - name: AWS_SECURITY_TOKEN ''' diff --git a/lib/ansible/plugins/doc_fragments/aws_region.py b/lib/ansible/plugins/doc_fragments/aws_region.py new file mode 100644 index 00000000000..e214d78a2ef --- /dev/null +++ b/lib/ansible/plugins/doc_fragments/aws_region.py @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- + +# Copyright: (c) 2017, Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + + +class ModuleDocFragment(object): + + # Plugin option for AWS region + DOCUMENTATION = r''' +options: + region: + description: The region for which to create the connection. + type: str + env: + - name: EC2_REGION + - name: AWS_REGION +''' diff --git a/lib/ansible/plugins/inventory/aws_ec2.py b/lib/ansible/plugins/inventory/aws_ec2.py index ffdf7e77145..9f877c86b85 100644 --- a/lib/ansible/plugins/inventory/aws_ec2.py +++ b/lib/ansible/plugins/inventory/aws_ec2.py @@ -14,6 +14,7 @@ DOCUMENTATION = ''' extends_documentation_fragment: - inventory_cache - constructed + - aws_credentials description: - Get inventory hosts from Amazon Web Services EC2. - Uses a YAML configuration file that ends with aws_ec2.(yml|yaml). @@ -25,34 +26,6 @@ DOCUMENTATION = ''' description: token that ensures this is a source file for the 'aws_ec2' plugin. required: True choices: ['aws_ec2'] - boto_profile: - description: - - The boto profile to use. - - This plugin supports boto3-style credentials, so the profile may be sourced from ~/.aws/config for assuming an IAM role. - - See U(https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html) for details. - env: - - name: AWS_PROFILE - - name: AWS_DEFAULT_PROFILE - aws_access_key_id: - description: The AWS access key to use. If you have specified a profile, you don't need to provide - an access key/secret key/session token. - env: - - name: AWS_ACCESS_KEY_ID - - name: AWS_ACCESS_KEY - - name: EC2_ACCESS_KEY - aws_secret_access_key: - description: The AWS secret key that corresponds to the access key. If you have specified a profile, - you don't need to provide an access key/secret key/session token. - env: - - name: AWS_SECRET_ACCESS_KEY - - name: AWS_SECRET_KEY - - name: EC2_SECRET_KEY - aws_security_token: - description: The AWS security token if using temporary access and secret keys. - env: - - name: AWS_SECURITY_TOKEN - - name: AWS_SESSION_TOKEN - - name: EC2_SECURITY_TOKEN regions: description: - A list of regions in which to describe EC2 instances. @@ -555,9 +528,9 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable): :param config_data: contents of the inventory config file ''' - self.boto_profile = self.get_option('boto_profile') - self.aws_access_key_id = self.get_option('aws_access_key_id') - self.aws_secret_access_key = self.get_option('aws_secret_access_key') + self.boto_profile = self.get_option('aws_profile') + self.aws_access_key_id = self.get_option('aws_access_key') + self.aws_secret_access_key = self.get_option('aws_secret_key') self.aws_security_token = self.get_option('aws_security_token') if not self.boto_profile and not (self.aws_access_key_id and self.aws_secret_access_key): diff --git a/lib/ansible/plugins/inventory/aws_rds.py b/lib/ansible/plugins/inventory/aws_rds.py index f7ed34db711..517bed520e7 100644 --- a/lib/ansible/plugins/inventory/aws_rds.py +++ b/lib/ansible/plugins/inventory/aws_rds.py @@ -12,32 +12,6 @@ DOCUMENTATION = ''' - Get instances and clusters from Amazon Web Services RDS. - Uses a YAML configuration file that ends with aws_rds.(yml|yaml). options: - boto_profile: - description: The boto profile to use. The plugin will look for an instance role if no credentials - are provided. - env: - - name: AWS_PROFILE - - name: AWS_DEFAULT_PROFILE - aws_access_key_id: - description: The AWS access key to use. If you have specified a profile, you don't need to provide - an access key/secret key/session token. - env: - - name: AWS_ACCESS_KEY_ID - - name: AWS_ACCESS_KEY - - name: EC2_ACCESS_KEY - aws_secret_access_key: - description: The AWS secret key that corresponds to the access key. If you have specified a profile, - you don't need to provide an access key/secret key/session token. - env: - - name: AWS_SECRET_ACCESS_KEY - - name: AWS_SECRET_KEY - - name: EC2_SECRET_KEY - aws_security_token: - description: The AWS security token if using temporary access and secret keys. - env: - - name: AWS_SECURITY_TOKEN - - name: AWS_SESSION_TOKEN - - name: EC2_SECURITY_TOKEN regions: description: A list of regions in which to describe RDS instances and clusters. Available regions are listed here U(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) @@ -65,6 +39,7 @@ DOCUMENTATION = ''' extends_documentation_fragment: - inventory_cache - constructed + - aws_credentials requirements: - boto3 - botocore @@ -271,9 +246,9 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable): ''' :param config_data: contents of the inventory config file ''' - self.boto_profile = self.get_option('boto_profile') - aws_access_key_id = self.get_option('aws_access_key_id') - aws_secret_access_key = self.get_option('aws_secret_access_key') + self.boto_profile = self.get_option('aws_profile') + aws_access_key_id = self.get_option('aws_access_key') + aws_secret_access_key = self.get_option('aws_secret_key') aws_security_token = self.get_option('aws_security_token') if not self.boto_profile and not (aws_access_key_id and aws_secret_access_key): diff --git a/lib/ansible/plugins/lookup/aws_account_attribute.py b/lib/ansible/plugins/lookup/aws_account_attribute.py index a3e4fe07799..23f311da423 100644 --- a/lib/ansible/plugins/lookup/aws_account_attribute.py +++ b/lib/ansible/plugins/lookup/aws_account_attribute.py @@ -13,6 +13,7 @@ requirements: - botocore extends_documentation_fragment: - aws_credentials + - aws_region short_description: Look up AWS account attributes. description: - Describes attributes of your AWS account. You can specify one of the listed diff --git a/test/units/plugins/inventory/test_aws_ec2.py b/test/units/plugins/inventory/test_aws_ec2.py index dfed6684d40..4550f63c29c 100644 --- a/test/units/plugins/inventory/test_aws_ec2.py +++ b/test/units/plugins/inventory/test_aws_ec2.py @@ -129,9 +129,9 @@ def test_get_boto_attr_chain(inventory): def test_boto3_conn(inventory): - inventory._options = {"boto_profile": "first_precedence", - "aws_access_key_id": "test_access_key", - "aws_secret_access_key": "test_secret_key", + inventory._options = {"aws_profile": "first_precedence", + "aws_access_key": "test_access_key", + "aws_secret_key": "test_secret_key", "aws_security_token": "test_security_token"} inventory._set_credentials() with pytest.raises(AnsibleError) as error_message: @@ -151,10 +151,10 @@ def test_get_hostname(inventory): def test_set_credentials(inventory): - inventory._options = {'aws_access_key_id': 'test_access_key', - 'aws_secret_access_key': 'test_secret_key', + inventory._options = {'aws_access_key': 'test_access_key', + 'aws_secret_key': 'test_secret_key', 'aws_security_token': 'test_security_token', - 'boto_profile': 'test_profile'} + 'aws_profile': 'test_profile'} inventory._set_credentials() assert inventory.boto_profile == "test_profile" @@ -165,10 +165,10 @@ def test_set_credentials(inventory): def test_insufficient_credentials(inventory): inventory._options = { - 'aws_access_key_id': None, - 'aws_secret_access_key': None, + 'aws_access_key': None, + 'aws_secret_key': None, 'aws_security_token': None, - 'boto_profile': None + 'aws_profile': None } with pytest.raises(AnsibleError) as error_message: inventory._set_credentials()