diff --git a/changelogs/fragments/352-fix-aws-region-and-v4-signature-for-s3-boto-client.yml b/changelogs/fragments/352-fix-aws-region-and-v4-signature-for-s3-boto-client.yml new file mode 100644 index 00000000000..8fe59379698 --- /dev/null +++ b/changelogs/fragments/352-fix-aws-region-and-v4-signature-for-s3-boto-client.yml @@ -0,0 +1,2 @@ +bugfixes: + - aws_ssm - fix the generation of CURL URL used to download Ansible Python file from S3 bucket by ```_get_url()``` due to due to non-assignment of aws region in the URL and not using V4 signature as specified for AWS S3 signature URL by ```_get_boto_client()``` in (https://github.com/ansible-collections/community.aws/pull/352). \ No newline at end of file diff --git a/plugins/connection/aws_ssm.py b/plugins/connection/aws_ssm.py index 94289eeef9f..c5fd3e22eef 100644 --- a/plugins/connection/aws_ssm.py +++ b/plugins/connection/aws_ssm.py @@ -162,7 +162,6 @@ import os import getpass import json -import os import pty import random import re @@ -177,6 +176,7 @@ except ImportError as e: HAS_BOTO_3_ERROR = str(e) HAS_BOTO_3 = False +from botocore.client import Config from functools import wraps from ansible import constants as C @@ -497,7 +497,8 @@ def _flush_stderr(self, subprocess): def _get_url(self, client_method, bucket_name, out_path, http_method): ''' Generate URL for get_object / put_object ''' - client = self._get_boto_client('s3') + region_name = self.get_option('region') or 'us-east-1' + client = self._get_boto_client('s3', region_name) return client.generate_presigned_url(client_method, Params={'Bucket': bucket_name, 'Key': out_path}, ExpiresIn=3600, HttpMethod=http_method) def _get_boto_client(self, service, region_name=None): @@ -515,7 +516,9 @@ def _get_boto_client(self, service, region_name=None): aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, - region_name=region_name) + region_name=region_name, + config=Config(signature_version="s3v4") + ) return client @_ssm_retry