added account_alias in the response of module aws_caller_facts (#42345)

* added account_alias in the response of module aws_caller_facts

* added comment to explain list_account_aliases

* renamed caller_identity to caller_facts as the content is extended

* created changelog

* security-policy needs the iam:ListAccountAliases for this module to work

* test now checks for the added field account_alias

* gracefully handle missing iam:ListAccountAliases permission
pull/34710/merge
sdubrul 6 years ago committed by Sloane Hertel
parent 960d99a785
commit 061877d584

@ -0,0 +1,3 @@
---
minor_changes:
- aws_caller_facts - The module now outputs the "account_alias" as well

@ -12,7 +12,8 @@
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:ListUsers"
"iam:ListUsers",
"iam:ListAccountAliases"
],
"Resource": "*",
"Effect": "Allow",

@ -17,7 +17,9 @@ description:
- The primary use of this is to get the account id for templating into ARNs or similar to avoid needing to specify this information in inventory.
version_added: "2.6"
author: Ed Costello (@orthanc)
author:
- Ed Costello (@orthanc)
- Stijn Dubrul (@sdubrul)
requirements: [ 'botocore', 'boto3' ]
extends_documentation_fragment:
@ -39,6 +41,11 @@ account:
returned: success
type: string
sample: "123456789012"
account_alias:
description: The account alias the access credentials are associated with.
returned: when caller has the iam:ListAccountAliases permission
type: string
sample: "acme-production"
arn:
description: The arn identifying the user the credentials are associated with.
returned: success
@ -71,15 +78,31 @@ def main():
client = module.client('sts')
try:
caller_identity = client.get_caller_identity()
caller_identity.pop('ResponseMetadata', None)
module.exit_json(
changed=False,
**camel_dict_to_snake_dict(caller_identity)
)
caller_facts = client.get_caller_identity()
caller_facts.pop('ResponseMetadata', None)
except (BotoCoreError, ClientError) as e:
module.fail_json_aws(e, msg='Failed to retrieve caller identity')
iam_client = module.client('iam')
try:
# Although a list is returned by list_account_aliases AWS supports maximum one alias per account.
# If an alias is defined it will be returned otherwise a blank string is filled in as account_alias.
# see https://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html#output
response = iam_client.list_account_aliases()
if response and response['AccountAliases']:
caller_facts['account_alias'] = response['AccountAliases'][0]
else:
caller_facts['account_alias'] = ''
except (BotoCoreError, ClientError) as e:
# The iam:ListAccountAliases permission is required for this operation to succeed.
# Lacking this permission is handled gracefully by not returning the account_alias.
pass
module.exit_json(
changed=False,
**camel_dict_to_snake_dict(caller_facts))
if __name__ == '__main__':
main()

@ -3,7 +3,7 @@
region: "{{ aws_region }}"
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{security_token}}"
security_token: "{{ security_token }}"
register: result
- name: assert correct keys are returned
@ -12,3 +12,4 @@
- result.account is not none
- result.arn is not none
- result.user_id is not none
- result.account_alias is not none

Loading…
Cancel
Save