'community.aws.aws_ssm' connection will not change/become user (root)

[jordanjthomas]

Summary

Cannot get the 'community.aws.aws_ssm' connection to 'become' any other user when connecting to an EC2 via SSM. In this scenario user will not become 'root'. I can connect to the target host fine, but any attempt to become root fails. Example tests:

- name: Run 'whoami' command
  become: true
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output


- name: Run 'whoami' command again
  become: true
  become_user: root
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output

The results of these and other tests all come back the same: user being 'ssm_user'. The 'ssm_user' definitely does have the permission to elevate to root and can do so manually on the instance fine.

Issue Type

Bug Report

Component Name

community.aws.aws_ssm

Ansible Version

ansible-playbook [core 2.15.12]
  config file = /runner/project/ansible.cfg
  configured module search path = ['/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.9.18 (main, Jan 24 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True

Collection Versions

      - name: awx.awx
      - name: azure.azcollection
      - name: amazon.aws
      - name: community.vmware
      - name: ansible.posix
      - name: ansible.windows
      - name: community.general
      - name: community.aws

AWS SDK versions

'botocore>=1.29.0,>=1.29.0  # from collection amazon.aws,community.aws'
'boto3>=1.26.0,>=1.26.0  # from collection amazon.aws,community.aws'

OS / Environment

No response

Steps to Reproduce

`- name: Run 'whoami' command
  become: true
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output


- name: Run 'whoami' command again
  become: true
  become_user: root
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output`

Expected Results

I expected the tasks to show the user as 'root'

Actual Results

  "stdout": "ssm-user"

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[jordanjthomas]

@psharkey Sorry for tagging, but is this a known issue with the connection plugin?

[jay-lark]

I am seeing this as well when running in AWX with Ansible core 2.15.12 or 2.16.8 with the community.aws collections in 7.x and 8.x.

interestingly, the same exact playbook works with the same credentials when running on my laptop with ansible 2.16.8 and collection 7.2.0 or 8.0.0

[vikas-falconx]

is there work around for this. Or can someone pls pick this up and fix this i see that this has been changed in the latest version https://github.com/ansible-collections/community.aws/blob/5.5.1/plugins/connection/aws_ssm.py#L674-L675

[jordanjthomas]

I don't know if this helps people, but in my case I'm using AWX and found a workaround.

I needed to create a machine credential for the job template with the username of 'admin' and no password required. This then allowed 'become' to work. Without that, become would not cause any changes to user after SSM connection. Quite annoying..