Ansible AWS using a role_arn with ansible playbook not giving permissions

Question

I have been stuck on this issue for days, and I can't seem to find anything around the exact same problem I've been having. Currently, I have credentials and config set up like so:

~/.aws/credentials

[default]
aws_access_key_id = ###########
aws_secret_access_key = ######################

[dev]
role_arn=arn:aws:iam::############:role/###AccessRole
source_profile=default

~/.aws/config

[default]
region = us-east-1
output = json

[profile dev]
role_arn = arn:aws:iam::############:role/###AccessRole
source_profile = default

When I run aws cli commands, everything runs fine. If I end up using AWS creds which have admin permissions, it works - but I can't do this in our system.

Currently, the default role can't access anything on purpose, it assumes the dev role. However, I can't get Ansible to recognise dev. I configured it all, and it works across Terraform, AWS CLI, Git. Currently, this is my input and error using ansible-playbook. I have removed certain info/linted the output below. As you can see, I'm using ec2.ini and ec2.py.

Has anyone come across this? Is it to do with using role_arn with Ansible? I have tried a plethora of things to get this to work, the state below is the current state of things.

Thanks in advance!

AWS_PROFILE=dev ansible-playbook -i ./inventory/ec2.py playbook.yml --private-key ###.pem

----

[WARNING]:  * Failed to parse {home}/Ansible/Bastion/inventory/ec2.py with script
plugin: Inventory script ({home}/Ansible/Bastion/inventory/ec2.py) had an
execution error: Traceback (most recent call last):   File
"{home}/Ansible/Bastion/inventory/ec2.py", line 1712, in <module>
Ec2Inventory()   File "{home}Ansible/Bastion/inventory/ec2.py", line 285, in
__init__     self.do_api_calls_update_cache()   File
"{home}/Ansible/Bastion/inventory/ec2.py", line 552, in do_api_calls_update_cache
self.get_instances_by_region(region)   File
"{home}/Ansible/Bastion/inventory/ec2.py", line 608, in get_instances_by_region
conn = self.connect(region)   File "{home}/Ansible/Bastion/inventory/ec2.py", line
570, in connect     conn = self.connect_to_aws(ec2, region)   File
"{home}/Ansible/Bastion/inventory/ec2.py", line 591, in connect_to_aws
sts_conn = sts.connect_to_region(region, **connect_args)   File "{home}.local/lib/python2.7/site-
packages/boto/sts/__init__.py", line 51, in connect_to_region     **kw_params)   File
"{home}/.local/lib/python2.7/site-packages/boto/regioninfo.py", line 220, in connect     return
region.connect(**kw_params)   File "{home}/.local/lib/python2.7/site-packages/boto/regioninfo.py",
line 290, in connect     return self.connection_cls(region=self, **kw_params)   File
"{home}/.local/lib/python2.7/site-packages/boto/sts/connection.py", line 107, in __init__
provider=provider)   File "{home}/.local/lib/python2.7/site-packages/boto/connection.py", line
1100, in __init__     provider=provider)   File "{home}/.local/lib/python2.7/site-
packages/boto/connection.py", line 555, in __init__     profile_name)   File
"{home}/.local/lib/python2.7/site-packages/boto/provider.py", line 201, in __init__
self.get_credentials(access_key, secret_key, security_token, profile_name)   File
"{home}/.local/lib/python2.7/site-packages/boto/provider.py", line 297, in get_credentials
profile_name) boto.provider.ProfileNotFoundError: Profile "dev" not found!
[WARNING]:  * Failed to parse {home}/Ansible/Bastion/inventory/ec2.py with ini
plugin: {home}/Ansible/Bastion/inventory/ec2.py:3: Error parsing host definition
''''': No closing quotation
[WARNING]: Unable to parse {home}/Ansible/Bastion/inventory/ec2.py as an inventory
source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does
not match 'all'

PLAY [Create kp and access instance] *********************************************************

TASK [Setup variables] *************************************************************************************
ok: [localhost]

TASK [Backup previous key] *************************************************************************
changed: [localhost]

TASK [generate SSH key]
*******************************************************************
changed: [localhost]

TASK [Start and register instance] *****************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Profile given for AWS was not found.  Please fix and retry."}

PLAY RECAP *************************************************************************************************
localhost                  : ok=3    changed=2    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0  

EDITS:

      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                      dev           manual    --profile
access_key     ****************####      assume-role    
secret_key     ****************####      assume-role    
    region                <not set>             None    None

{
    "UserId": "<ACCESS_KEY?>:botocore-session-##########",
    "Account": "############",
    "Arn": "arn:aws:sts::############:assumed-role/###AccessRole/botocore-session-##########"
}

Answer 1

ec2.py is too old, it only use boto and can't work with roles. It is also deprecated, the correct way now to use aws dynamic inventory is to use aws_ec2 from the aws collection. It used boto3, support roles and is in the end more flexible. If needed, there is a compatiblity ec2.py config here, but it is recommended always to use the aws_ec2 groups and variables directly for the long run.

Check this link in github for the full story