mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
added account_alias in the response of module aws_caller_facts (#42345)
* added account_alias in the response of module aws_caller_facts * added comment to explain list_account_aliases * renamed caller_identity to caller_facts as the content is extended * created changelog * security-policy needs the iam:ListAccountAliases for this module to work * test now checks for the added field account_alias * gracefully handle missing iam:ListAccountAliases permission
This commit is contained in:
parent
960d99a785
commit
061877d584
4 changed files with 37 additions and 9 deletions
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
minor_changes:
|
||||
- aws_caller_facts - The module now outputs the "account_alias" as well
|
|
@ -12,7 +12,8 @@
|
|||
"iam:ListPolicies",
|
||||
"iam:ListRoles",
|
||||
"iam:ListRolePolicies",
|
||||
"iam:ListUsers"
|
||||
"iam:ListUsers",
|
||||
"iam:ListAccountAliases"
|
||||
],
|
||||
"Resource": "*",
|
||||
"Effect": "Allow",
|
||||
|
|
|
@ -17,7 +17,9 @@ description:
|
|||
- The primary use of this is to get the account id for templating into ARNs or similar to avoid needing to specify this information in inventory.
|
||||
version_added: "2.6"
|
||||
|
||||
author: Ed Costello (@orthanc)
|
||||
author:
|
||||
- Ed Costello (@orthanc)
|
||||
- Stijn Dubrul (@sdubrul)
|
||||
|
||||
requirements: [ 'botocore', 'boto3' ]
|
||||
extends_documentation_fragment:
|
||||
|
@ -39,6 +41,11 @@ account:
|
|||
returned: success
|
||||
type: string
|
||||
sample: "123456789012"
|
||||
account_alias:
|
||||
description: The account alias the access credentials are associated with.
|
||||
returned: when caller has the iam:ListAccountAliases permission
|
||||
type: string
|
||||
sample: "acme-production"
|
||||
arn:
|
||||
description: The arn identifying the user the credentials are associated with.
|
||||
returned: success
|
||||
|
@ -71,15 +78,31 @@ def main():
|
|||
client = module.client('sts')
|
||||
|
||||
try:
|
||||
caller_identity = client.get_caller_identity()
|
||||
caller_identity.pop('ResponseMetadata', None)
|
||||
module.exit_json(
|
||||
changed=False,
|
||||
**camel_dict_to_snake_dict(caller_identity)
|
||||
)
|
||||
caller_facts = client.get_caller_identity()
|
||||
caller_facts.pop('ResponseMetadata', None)
|
||||
except (BotoCoreError, ClientError) as e:
|
||||
module.fail_json_aws(e, msg='Failed to retrieve caller identity')
|
||||
|
||||
iam_client = module.client('iam')
|
||||
|
||||
try:
|
||||
# Although a list is returned by list_account_aliases AWS supports maximum one alias per account.
|
||||
# If an alias is defined it will be returned otherwise a blank string is filled in as account_alias.
|
||||
# see https://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html#output
|
||||
response = iam_client.list_account_aliases()
|
||||
if response and response['AccountAliases']:
|
||||
caller_facts['account_alias'] = response['AccountAliases'][0]
|
||||
else:
|
||||
caller_facts['account_alias'] = ''
|
||||
except (BotoCoreError, ClientError) as e:
|
||||
# The iam:ListAccountAliases permission is required for this operation to succeed.
|
||||
# Lacking this permission is handled gracefully by not returning the account_alias.
|
||||
pass
|
||||
|
||||
module.exit_json(
|
||||
changed=False,
|
||||
**camel_dict_to_snake_dict(caller_facts))
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
region: "{{ aws_region }}"
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{security_token}}"
|
||||
security_token: "{{ security_token }}"
|
||||
register: result
|
||||
|
||||
- name: assert correct keys are returned
|
||||
|
@ -12,3 +12,4 @@
|
|||
- result.account is not none
|
||||
- result.arn is not none
|
||||
- result.user_id is not none
|
||||
- result.account_alias is not none
|
||||
|
|
Loading…
Reference in a new issue