1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

added account_alias in the response of module aws_caller_facts (#42345)

* added account_alias in the response of module aws_caller_facts

* added comment to explain list_account_aliases

* renamed caller_identity to caller_facts as the content is extended

* created changelog

* security-policy needs the iam:ListAccountAliases for this module to work

* test now checks for the added field account_alias

* gracefully handle missing iam:ListAccountAliases permission
This commit is contained in:
sdubrul 2018-08-22 23:21:12 +02:00 committed by Sloane Hertel
parent 960d99a785
commit 061877d584
4 changed files with 37 additions and 9 deletions

View file

@ -0,0 +1,3 @@
---
minor_changes:
- aws_caller_facts - The module now outputs the "account_alias" as well

View file

@ -12,7 +12,8 @@
"iam:ListPolicies", "iam:ListPolicies",
"iam:ListRoles", "iam:ListRoles",
"iam:ListRolePolicies", "iam:ListRolePolicies",
"iam:ListUsers" "iam:ListUsers",
"iam:ListAccountAliases"
], ],
"Resource": "*", "Resource": "*",
"Effect": "Allow", "Effect": "Allow",

View file

@ -17,7 +17,9 @@ description:
- The primary use of this is to get the account id for templating into ARNs or similar to avoid needing to specify this information in inventory. - The primary use of this is to get the account id for templating into ARNs or similar to avoid needing to specify this information in inventory.
version_added: "2.6" version_added: "2.6"
author: Ed Costello (@orthanc) author:
- Ed Costello (@orthanc)
- Stijn Dubrul (@sdubrul)
requirements: [ 'botocore', 'boto3' ] requirements: [ 'botocore', 'boto3' ]
extends_documentation_fragment: extends_documentation_fragment:
@ -39,6 +41,11 @@ account:
returned: success returned: success
type: string type: string
sample: "123456789012" sample: "123456789012"
account_alias:
description: The account alias the access credentials are associated with.
returned: when caller has the iam:ListAccountAliases permission
type: string
sample: "acme-production"
arn: arn:
description: The arn identifying the user the credentials are associated with. description: The arn identifying the user the credentials are associated with.
returned: success returned: success
@ -71,15 +78,31 @@ def main():
client = module.client('sts') client = module.client('sts')
try: try:
caller_identity = client.get_caller_identity() caller_facts = client.get_caller_identity()
caller_identity.pop('ResponseMetadata', None) caller_facts.pop('ResponseMetadata', None)
module.exit_json(
changed=False,
**camel_dict_to_snake_dict(caller_identity)
)
except (BotoCoreError, ClientError) as e: except (BotoCoreError, ClientError) as e:
module.fail_json_aws(e, msg='Failed to retrieve caller identity') module.fail_json_aws(e, msg='Failed to retrieve caller identity')
iam_client = module.client('iam')
try:
# Although a list is returned by list_account_aliases AWS supports maximum one alias per account.
# If an alias is defined it will be returned otherwise a blank string is filled in as account_alias.
# see https://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html#output
response = iam_client.list_account_aliases()
if response and response['AccountAliases']:
caller_facts['account_alias'] = response['AccountAliases'][0]
else:
caller_facts['account_alias'] = ''
except (BotoCoreError, ClientError) as e:
# The iam:ListAccountAliases permission is required for this operation to succeed.
# Lacking this permission is handled gracefully by not returning the account_alias.
pass
module.exit_json(
changed=False,
**camel_dict_to_snake_dict(caller_facts))
if __name__ == '__main__': if __name__ == '__main__':
main() main()

View file

@ -3,7 +3,7 @@
region: "{{ aws_region }}" region: "{{ aws_region }}"
aws_access_key: "{{ aws_access_key }}" aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}" aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{security_token}}" security_token: "{{ security_token }}"
register: result register: result
- name: assert correct keys are returned - name: assert correct keys are returned
@ -12,3 +12,4 @@
- result.account is not none - result.account is not none
- result.arn is not none - result.arn is not none
- result.user_id is not none - result.user_id is not none
- result.account_alias is not none