From 061877d58403bdd515b7183b542fed010d2cba28 Mon Sep 17 00:00:00 2001 From: sdubrul <6731695+sdubrul@users.noreply.github.com> Date: Wed, 22 Aug 2018 23:21:12 +0200 Subject: [PATCH] added account_alias in the response of module aws_caller_facts (#42345) * added account_alias in the response of module aws_caller_facts * added comment to explain list_account_aliases * renamed caller_identity to caller_facts as the content is extended * created changelog * security-policy needs the iam:ListAccountAliases for this module to work * test now checks for the added field account_alias * gracefully handle missing iam:ListAccountAliases permission --- .../aws_caller_facts_add_account_alias.yaml | 3 ++ .../testing_policies/security-policy.json | 3 +- .../modules/cloud/amazon/aws_caller_facts.py | 37 +++++++++++++++---- .../targets/aws_caller_facts/tasks/main.yaml | 3 +- 4 files changed, 37 insertions(+), 9 deletions(-) create mode 100644 changelogs/fragments/aws_caller_facts_add_account_alias.yaml diff --git a/changelogs/fragments/aws_caller_facts_add_account_alias.yaml b/changelogs/fragments/aws_caller_facts_add_account_alias.yaml new file mode 100644 index 0000000000..f3ab00b362 --- /dev/null +++ b/changelogs/fragments/aws_caller_facts_add_account_alias.yaml @@ -0,0 +1,3 @@ +--- +minor_changes: + - aws_caller_facts - The module now outputs the "account_alias" as well diff --git a/hacking/aws_config/testing_policies/security-policy.json b/hacking/aws_config/testing_policies/security-policy.json index 29cf0c5521..1c6b2ca23a 100644 --- a/hacking/aws_config/testing_policies/security-policy.json +++ b/hacking/aws_config/testing_policies/security-policy.json @@ -12,7 +12,8 @@ "iam:ListPolicies", "iam:ListRoles", "iam:ListRolePolicies", - "iam:ListUsers" + "iam:ListUsers", + "iam:ListAccountAliases" ], "Resource": "*", "Effect": "Allow", diff --git a/lib/ansible/modules/cloud/amazon/aws_caller_facts.py b/lib/ansible/modules/cloud/amazon/aws_caller_facts.py index 06b20a7328..b4378528d5 100644 --- a/lib/ansible/modules/cloud/amazon/aws_caller_facts.py +++ b/lib/ansible/modules/cloud/amazon/aws_caller_facts.py @@ -17,7 +17,9 @@ description: - The primary use of this is to get the account id for templating into ARNs or similar to avoid needing to specify this information in inventory. version_added: "2.6" -author: Ed Costello (@orthanc) +author: + - Ed Costello (@orthanc) + - Stijn Dubrul (@sdubrul) requirements: [ 'botocore', 'boto3' ] extends_documentation_fragment: @@ -39,6 +41,11 @@ account: returned: success type: string sample: "123456789012" +account_alias: + description: The account alias the access credentials are associated with. + returned: when caller has the iam:ListAccountAliases permission + type: string + sample: "acme-production" arn: description: The arn identifying the user the credentials are associated with. returned: success @@ -71,15 +78,31 @@ def main(): client = module.client('sts') try: - caller_identity = client.get_caller_identity() - caller_identity.pop('ResponseMetadata', None) - module.exit_json( - changed=False, - **camel_dict_to_snake_dict(caller_identity) - ) + caller_facts = client.get_caller_identity() + caller_facts.pop('ResponseMetadata', None) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg='Failed to retrieve caller identity') + iam_client = module.client('iam') + + try: + # Although a list is returned by list_account_aliases AWS supports maximum one alias per account. + # If an alias is defined it will be returned otherwise a blank string is filled in as account_alias. + # see https://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html#output + response = iam_client.list_account_aliases() + if response and response['AccountAliases']: + caller_facts['account_alias'] = response['AccountAliases'][0] + else: + caller_facts['account_alias'] = '' + except (BotoCoreError, ClientError) as e: + # The iam:ListAccountAliases permission is required for this operation to succeed. + # Lacking this permission is handled gracefully by not returning the account_alias. + pass + + module.exit_json( + changed=False, + **camel_dict_to_snake_dict(caller_facts)) + if __name__ == '__main__': main() diff --git a/test/integration/targets/aws_caller_facts/tasks/main.yaml b/test/integration/targets/aws_caller_facts/tasks/main.yaml index c97565adbe..e5208a2dc9 100644 --- a/test/integration/targets/aws_caller_facts/tasks/main.yaml +++ b/test/integration/targets/aws_caller_facts/tasks/main.yaml @@ -3,7 +3,7 @@ region: "{{ aws_region }}" aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{security_token}}" + security_token: "{{ security_token }}" register: result - name: assert correct keys are returned @@ -12,3 +12,4 @@ - result.account is not none - result.arn is not none - result.user_id is not none + - result.account_alias is not none