mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
added account_alias in the response of module aws_caller_facts (#42345)
* added account_alias in the response of module aws_caller_facts * added comment to explain list_account_aliases * renamed caller_identity to caller_facts as the content is extended * created changelog * security-policy needs the iam:ListAccountAliases for this module to work * test now checks for the added field account_alias * gracefully handle missing iam:ListAccountAliases permission
This commit is contained in:
parent
960d99a785
commit
061877d584
4 changed files with 37 additions and 9 deletions
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
minor_changes:
|
||||||
|
- aws_caller_facts - The module now outputs the "account_alias" as well
|
|
@ -12,7 +12,8 @@
|
||||||
"iam:ListPolicies",
|
"iam:ListPolicies",
|
||||||
"iam:ListRoles",
|
"iam:ListRoles",
|
||||||
"iam:ListRolePolicies",
|
"iam:ListRolePolicies",
|
||||||
"iam:ListUsers"
|
"iam:ListUsers",
|
||||||
|
"iam:ListAccountAliases"
|
||||||
],
|
],
|
||||||
"Resource": "*",
|
"Resource": "*",
|
||||||
"Effect": "Allow",
|
"Effect": "Allow",
|
||||||
|
|
|
@ -17,7 +17,9 @@ description:
|
||||||
- The primary use of this is to get the account id for templating into ARNs or similar to avoid needing to specify this information in inventory.
|
- The primary use of this is to get the account id for templating into ARNs or similar to avoid needing to specify this information in inventory.
|
||||||
version_added: "2.6"
|
version_added: "2.6"
|
||||||
|
|
||||||
author: Ed Costello (@orthanc)
|
author:
|
||||||
|
- Ed Costello (@orthanc)
|
||||||
|
- Stijn Dubrul (@sdubrul)
|
||||||
|
|
||||||
requirements: [ 'botocore', 'boto3' ]
|
requirements: [ 'botocore', 'boto3' ]
|
||||||
extends_documentation_fragment:
|
extends_documentation_fragment:
|
||||||
|
@ -39,6 +41,11 @@ account:
|
||||||
returned: success
|
returned: success
|
||||||
type: string
|
type: string
|
||||||
sample: "123456789012"
|
sample: "123456789012"
|
||||||
|
account_alias:
|
||||||
|
description: The account alias the access credentials are associated with.
|
||||||
|
returned: when caller has the iam:ListAccountAliases permission
|
||||||
|
type: string
|
||||||
|
sample: "acme-production"
|
||||||
arn:
|
arn:
|
||||||
description: The arn identifying the user the credentials are associated with.
|
description: The arn identifying the user the credentials are associated with.
|
||||||
returned: success
|
returned: success
|
||||||
|
@ -71,15 +78,31 @@ def main():
|
||||||
client = module.client('sts')
|
client = module.client('sts')
|
||||||
|
|
||||||
try:
|
try:
|
||||||
caller_identity = client.get_caller_identity()
|
caller_facts = client.get_caller_identity()
|
||||||
caller_identity.pop('ResponseMetadata', None)
|
caller_facts.pop('ResponseMetadata', None)
|
||||||
module.exit_json(
|
|
||||||
changed=False,
|
|
||||||
**camel_dict_to_snake_dict(caller_identity)
|
|
||||||
)
|
|
||||||
except (BotoCoreError, ClientError) as e:
|
except (BotoCoreError, ClientError) as e:
|
||||||
module.fail_json_aws(e, msg='Failed to retrieve caller identity')
|
module.fail_json_aws(e, msg='Failed to retrieve caller identity')
|
||||||
|
|
||||||
|
iam_client = module.client('iam')
|
||||||
|
|
||||||
|
try:
|
||||||
|
# Although a list is returned by list_account_aliases AWS supports maximum one alias per account.
|
||||||
|
# If an alias is defined it will be returned otherwise a blank string is filled in as account_alias.
|
||||||
|
# see https://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html#output
|
||||||
|
response = iam_client.list_account_aliases()
|
||||||
|
if response and response['AccountAliases']:
|
||||||
|
caller_facts['account_alias'] = response['AccountAliases'][0]
|
||||||
|
else:
|
||||||
|
caller_facts['account_alias'] = ''
|
||||||
|
except (BotoCoreError, ClientError) as e:
|
||||||
|
# The iam:ListAccountAliases permission is required for this operation to succeed.
|
||||||
|
# Lacking this permission is handled gracefully by not returning the account_alias.
|
||||||
|
pass
|
||||||
|
|
||||||
|
module.exit_json(
|
||||||
|
changed=False,
|
||||||
|
**camel_dict_to_snake_dict(caller_facts))
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
main()
|
main()
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
region: "{{ aws_region }}"
|
region: "{{ aws_region }}"
|
||||||
aws_access_key: "{{ aws_access_key }}"
|
aws_access_key: "{{ aws_access_key }}"
|
||||||
aws_secret_key: "{{ aws_secret_key }}"
|
aws_secret_key: "{{ aws_secret_key }}"
|
||||||
security_token: "{{security_token}}"
|
security_token: "{{ security_token }}"
|
||||||
register: result
|
register: result
|
||||||
|
|
||||||
- name: assert correct keys are returned
|
- name: assert correct keys are returned
|
||||||
|
@ -12,3 +12,4 @@
|
||||||
- result.account is not none
|
- result.account is not none
|
||||||
- result.arn is not none
|
- result.arn is not none
|
||||||
- result.user_id is not none
|
- result.user_id is not none
|
||||||
|
- result.account_alias is not none
|
||||||
|
|
Loading…
Reference in a new issue