Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

community.aws.aws_ssm connection does not change the user #1980

Open
1 task done
AlexanderNtk opened this issue Oct 24, 2023 · 1 comment
Open
1 task done

community.aws.aws_ssm connection does not change the user #1980

AlexanderNtk opened this issue Oct 24, 2023 · 1 comment

Comments

@AlexanderNtk
Copy link

AlexanderNtk commented Oct 24, 2023
edited

Summary

community.aws.aws_ssm do not change user to ubuntu.
It successfully change user to root, www-data, nobody.
In logs clearly visible that it does not apply sudo -u ubuntu as It should.

Issue Type

Bug Report

Component Name

community.aws.aws_ssm

Ansible Version

$ ansible --version

ansible [core 2.15.5]
  config file = /home/ubuntu/actions-runner/_work/ansible/ansible/ansible.cfg
  configured module search path = ['/home/ubuntu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ubuntu/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/ubuntu/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ubuntu/.local/bin/ansible
  python version = 3.10.12 (main, Jun 11 20[23](https://github.com/saage-tech/ansible/actions/runs/6627761312/job/18003466387#step:6:24), 05:[26](https://github.com/saage-tech/ansible/actions/runs/6627761312/job/18003466387#step:6:27):[28](https://github.com/saage-tech/ansible/actions/runs/6627761312/job/18003466387#step:6:29)) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
# /home/ubuntu/.ansible/collections/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    6.5.0  
community.aws                 6.4.0  
community.docker              3.4.3  
community.grafana             1.5.4  
community.postgresql          2.3.2  

# /home/ubuntu/.local/lib/python3.10/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    6.5.0  
ansible.netcommon             5.2.0  
ansible.posix                 1.5.4  
ansible.utils                 2.11.0 
ansible.windows               1.14.0 
arista.eos                    6.1.2  
awx.awx                       22.7.0 
azure.azcollection            1.18.1 
check_point.mgmt              5.1.1  
chocolatey.chocolatey         1.5.1  
cisco.aci                     2.7.0  
cisco.asa                     4.0.2  
cisco.dnac                    6.7.5  
cisco.intersight              1.0.27 
cisco.ios                     4.6.1  
cisco.iosxr                   5.0.3  
cisco.ise                     2.5.16 
cisco.meraki                  2.16.5 
cisco.mso                     2.5.0  
cisco.nso                     1.0.3  
cisco.nxos                    4.4.0  
cisco.ucs                     1.10.0 
cloud.common                  2.1.4  
cloudscale_ch.cloud           2.3.1  
community.aws                 6.3.0  
community.azure               2.0.0  
community.ciscosmb            1.0.6  
community.crypto              2.15.1 
community.digitalocean        1.24.0 
community.dns                 2.6.2  
community.docker              3.4.9  
community.fortios             1.0.0  
community.general             7.5.0  
community.google              1.0.0  
community.grafana             1.5.4  
community.hashi_vault         5.0.0  
community.hrobot              1.8.1  
community.libvirt             1.3.0  
community.mongodb             1.6.3  
community.mysql               3.7.2  
community.network             5.0.0  
community.okd                 2.3.0  
community.postgresql          2.4.3  
community.proxysql            1.5.1  
community.rabbitmq            1.2.3  
community.routeros            2.10.0 
community.sap                 1.0.0  
community.sap_libs            1.4.1  
community.skydive             1.0.0  
community.sops                1.6.6  
community.vmware              3.10.0 
community.windows             1.13.0 
community.zabbix              2.1.0  
containers.podman             1.10.3 
cyberark.conjur               1.2.2  
cyberark.pas                  1.0.23 
dellemc.enterprise_sonic      2.2.0  
dellemc.openmanage            7.6.1  
dellemc.powerflex             1.9.0  
dellemc.unity                 1.7.1  
f5networks.f5_modules         1.26.0 
fortinet.fortimanager         2.2.1  
fortinet.fortios              2.3.2  
frr.frr                       2.0.2  
gluster.gluster               1.0.2  
google.cloud                  1.2.0  
grafana.grafana               2.2.3  
hetzner.hcloud                1.16.0 
hpe.nimble                    1.1.4  
ibm.qradar                    2.1.0  
ibm.spectrum_virtualize       1.12.0 
infinidat.infinibox           1.3.12 
infoblox.nios_modules         1.5.0  
inspur.ispim                  1.3.0  
inspur.sm                     2.3.0  
junipernetworks.junos         5.3.0  
kubernetes.core               2.4.0  
lowlydba.sqlserver            2.2.1  
microsoft.ad                  1.3.0  
netapp.aws                    21.7.0 
netapp.azure                  21.10.0
netapp.cloudmanager           21.22.0
netapp.elementsw              21.7.0 
netapp.ontap                  22.7.0 
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0 
netapp_eseries.santricity     1.4.0  
netbox.netbox                 3.14.0 
ngine_io.cloudstack           2.3.0  
ngine_io.exoscale             1.1.0  
ngine_io.vultr                1.1.3  
openstack.cloud               2.1.0  
openvswitch.openvswitch       2.1.1  
ovirt.ovirt                   3.2.0  
purestorage.flasharray        1.21.0 
purestorage.flashblade        1.14.0 
purestorage.fusion            1.6.0  
sensu.sensu_go                1.14.0 
servicenow.servicenow         1.0.6  
splunk.es                     2.1.0  
t_systems_mms.icinga_director 1.[33](https://github.com/saage-tech/ansible/actions/runs/6627761312/job/18003466387#step:6:34).1 
telekom_mms.icinga_director   1.[34](https://github.com/saage-tech/ansible/actions/runs/6627761312/job/18003466387#step:6:35).1 
theforeman.foreman            3.14.0 
vmware.vmware_rest            2.3.1  
vultr.cloud                   1.10.0 
vyos.vyos                     4.1.0  
wti.remote                    1.0.5  

# /usr/lib/python3/dist-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    1.4.0  
ansible.netcommon             1.5.0  
ansible.posix                 1.1.1  
ansible.windows               1.4.0  
arista.eos                    1.3.0  
awx.awx                       14.1.0 
azure.azcollection            1.4.0  
check_point.mgmt              1.0.6  
chocolatey.chocolatey         1.0.2  
cisco.aci                     1.1.1  
cisco.asa                     1.0.4  
cisco.intersight              1.0.10 
cisco.ios                     1.3.0  
cisco.iosxr                   1.2.1  
cisco.meraki                  2.2.0  
cisco.mso                     1.1.0  
cisco.nso                     1.0.3  
cisco.nxos                    1.4.0  
cisco.ucs                     1.6.0  
cloudscale_ch.cloud           1.3.1  
community.aws                 1.3.0  
community.azure               1.0.0  
community.crypto              1.4.0  
community.digitalocean        1.0.0  
community.docker              1.2.2  
community.fortios             1.0.0  
community.general             1.3.6  
community.google              1.0.0  
community.grafana             1.1.0  
community.hashi_vault         1.1.0  
community.hrobot              1.1.0  
community.kubernetes          1.1.1  
community.kubevirt            1.0.0  
community.libvirt             1.0.0  
community.mongodb             1.2.0  
community.mysql               1.2.0  
community.network             1.3.2  
community.okd                 1.0.0  
community.postgresql          1.1.1  
community.proxysql            1.0.0  
community.rabbitmq            1.0.1  
community.routeros            1.1.0  
community.skydive             1.0.0  
community.vmware              1.7.0  
community.windows             1.3.0  
community.zabbix              1.2.0  
containers.podman             1.4.1  
cyberark.conjur               1.1.0  
cyberark.pas                  1.0.5  
dellemc.os10                  1.0.2  
dellemc.os6                   1.0.6  
dellemc.os9                   1.0.3  
f5networks.f5_modules         1.7.1  
fortinet.fortimanager         1.0.5  
fortinet.fortios              1.1.8  
frr.frr                       1.0.3  
gluster.gluster               1.0.1  
google.cloud                  1.0.2  
hetzner.hcloud                1.2.1  
ibm.qradar                    1.0.3  
infinidat.infinibox           1.2.4  
junipernetworks.junos         1.3.0  
mellanox.onyx                 1.0.0  
netapp.aws                    20.9.0 
netapp.elementsw              20.11.0
netapp.ontap                  20.12.0
netapp_eseries.santricity     1.1.0  
netbox.netbox                 1.2.1  
ngine_io.cloudstack           1.2.0  
ngine_io.exoscale             1.0.0  
ngine_io.vultr                1.1.0  
openstack.cloud               1.2.1  
openvswitch.openvswitch       1.1.0  
ovirt.ovirt                   1.3.0  
purestorage.flasharray        1.6.2  
purestorage.flashblade        1.4.0  
servicenow.servicenow         1.0.4  
splunk.es                     1.0.2  
theforeman.foreman            1.5.1  
vyos.vyos                     1.1.1  
wti.remote                    1.0.1

AWS SDK versions

$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: [email protected]
License: MIT
Location: /usr/local/lib/python3.10/dist-packages
Requires: 
Required-by: 
---
Name: boto3
Version: 1.28.69
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/ubuntu/.local/lib/python3.10/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: 
---
Name: botocore
Version: 1.31.69
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/ubuntu/.local/lib/python3.10/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = /home/ubuntu/actions-runner/_work/ansible/ansible/ansible.cfg
DEFAULT_ROLES_PATH(/home/ubuntu/actions-runner/_work/ansible/ansible/ansible.cfg) = ['/home/ubuntu/actions-runner/_work/ansible/ansible/roles']
HOST_KEY_CHECKING(/home/ubuntu/actions-runner/_work/ansible/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/home/ubuntu/actions-runner/_work/ansible/ansible/ansible.cfg) = auto

OS / Environment

Operating System: Ubuntu 22.04.3 LTS
Kernel: Linux 5.19.0-1025-aws
Architecture: x86-64

Steps to Reproduce

- name: "Check names"
  hosts: sentries
  gather_facts: no

  tasks:
    - name: Test 1
      become: true
      become_user: "{{ bin_username }}"
      ansible.builtin.command: "whoami"
      
    - name: Test 1.2
      become: true
      become_user: "{{ bin_username }}"
      ansible.builtin.command: "echo {{ bin_username }}"

    - name: Test 2
      become: true
      become_user: root
      ansible.builtin.command: "whoami"

    - name: Test 3
      become: true
      become_user: ubuntu
      ansible.builtin.command: "whoami"

    - name: Test 4
      become: true
      become_user: nobody
      ansible.builtin.command: "whoami"

    - name: Test 4
      become: true
      become_user: www-data
      ansible.builtin.command: "whoami"

Expected Results

TASK [Test 1] ******************************************************************
changed: [sentry_1] => {
"changed": true,
"cmd": [
"whoami"
],
"delta": "0:00:00.004309",
"end": "2023-10-24 14:03:28.813178",
"invocation": {
"module_args": {
"_raw_params": "whoami",
"_uses_shell": false,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true
}
},
"msg": "",
"rc": 0,
"start": "2023-10-24 14:03:28.808869",
"stderr": "",
"stderr_lines": [],
"stdout": "ssm-user",
"stdout_lines": [
"ubuntu"
]
}

Actual Results

TASK [Test 1] ******************************************************************
<i-05cc610c9a2419e62> ESTABLISH SSM CONNECTION TO: i-05cc610c9a2419e62
<i-0574c0de0e7d4c9e9> ESTABLISH SSM CONNECTION TO: i-0574c0de0e7d4c9e9
<i-0574c0de0e7d4c9e9> EXEC: ( umask 77 && mkdir -p "` echo /tmp/.ansible/tmp/ `"&& mkdir "` echo /tmp/.ansible/tmp/ansible-tmp-1698156205.3669071-8343-231094560590991 `" && echo ansible-tmp-1698156205.3669071-8343-231094560590991="` echo /tmp/.ansible/tmp/ansible-tmp-1698156205.3669071-8343-231094560590991 `" )
<i-05cc610c9a2419e62> EXEC: ( umask 77 && mkdir -p "` echo /tmp/.ansible/tmp/ `"&& mkdir "` echo /tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-270228630598681 `" && echo ansible-tmp-1698156205.3249717-8341-270228630598681="` echo /tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-270228630598681 `" )
Using module file /home/ubuntu/.local/lib/python3.10/site-packages/ansible/modules/command.py
<i-0574c0de0e7d4c9e9> PUT /home/ubuntu/.ansible/tmp/ansible-local-8337duiu9xri/tmpz14vwcgu TO /tmp/.ansible/tmp/ansible-tmp-1698156205.3669071-8343-231094560590991/AnsiballZ_command.py
Using module file /home/ubuntu/.local/lib/python3.10/site-packages/ansible/modules/command.py
<i-05cc610c9a2419e62> PUT /home/ubuntu/.ansible/tmp/ansible-local-8337duiu9xri/tmpjak6wd0t TO /tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-270228630598681/AnsiballZ_command.py
<i-05cc610c9a2419e62> EXEC: curl -o '/tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-270228630598681/AnsiballZ_command.py' 'https://s3.amazonaws.com/sharedbucket-file-transfer-605891412207-us-east-1/i-05cc610c9a2419e62//tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-270228630598681/AnsiballZ_command.py?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=***%2F20231024%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231024T140327Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=***&X-Amz-Signature=3ea79f824063aa38a3a141e1050dfbdb2f92ade8b91d6ef688fb477cc87253d1'
<i-0574c0de0e7d4c9e9> EXEC: curl -o '/tmp/.ansible/tmp/ansible-tmp-1698156205.3669071-8343-231094560590991/AnsiballZ_command.py' 'https://s3.amazonaws.com/sharedbucket-file-transfer-605891412207-us-east-1/i-0574c0de0e7d4c9e9//tmp/.ansible/tmp/ansible-tmp-1698156205.3669071-8343-231094560590991/AnsiballZ_command.py?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=***%2F20231024%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231024T140327Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=***&X-Amz-Signature=cb2a93f16a5a0cc9ca806e7def30e202092f87e2a88e80b6d3b5741edfec2215'
<i-05cc610c9a2419e62> EXEC: touch '/tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-2702286[305](https://github.com/saage-tech/ansible/actions/runs/6627966176/job/18004043621#step:6:306)98681/AnsiballZ_command.py'
<i-05cc610c9a2419e62> EXEC: chmod u+x /tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-270228630598681/ /tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-270228630598681/AnsiballZ_command.py
<i-05cc610c9a2419e62> EXEC: /usr/bin/python3 /tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-270228630598681/AnsiballZ_command.py
<i-0574c0de0e7d4c9e9> EXEC: touch '/tmp/.ansible/tmp/ansible-tmp-1698156205.3669071-8343-2[310](https://github.com/saage-tech/ansible/actions/runs/6627966176/job/18004043621#step:6:311)94560590991/AnsiballZ_command.py'
<i-0574c0de0e7d4c9e9> EXEC: chmod u+x /tmp/.ansible/tmp/ansible-tmp-1698156205.3669071-8343-231094560590991/ /tmp/.ansible/tmp/ansible-tmp-1698156205.3669071-8343-231094560590991/AnsiballZ_command.py
<i-0574c0de0e7d4c9e9> EXEC: /usr/bin/python3 /tmp/.ansible/tmp/ansible-tmp-1698156205.3669071-8343-231094560590991/AnsiballZ_command.py
<i-05cc610c9a2419e62> EXEC: rm -f -r /tmp/.ansible/tmp/ansible-tmp-1698156205.3249717-8341-270228630598681/ > /dev/null 2>&1
<i-05cc610c9a2419e62> CLOSING SSM CONNECTION TO: i-05cc610c9a2419e62
changed: [sentry_1] => {
    "changed": true,
    "cmd": [
        "whoami"
    ],
    "delta": "0:00:00.004309",
    "end": "2023-10-24 14:03:28.813178",
    "invocation": {
        "module_args": {
            "_raw_params": "whoami",
            "_uses_shell": false,
            "argv": null,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "stdin_add_newline": true,
            "strip_empty_ends": true
        }
    },
    "msg": "",
    "rc": 0,
    "start": "2023-10-24 14:03:28.808869",
    "stderr": "",
    "stderr_lines": [],
    "stdout": "ssm-user",
    "stdout_lines": [
        "ssm-user"
    ]
}

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@jordanjthomas
Copy link

@AlexanderNtk Did you ever find an answer to this one? I can't even get a single task to become 'root' once SSM'd into a host: it just remains as 'ssm-user'. This is with stating 'become: true:' and 'become_user: root'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jordanjthomas @AlexanderNtk