From debce4c0a4a1c469dda6af45863527821b683c10 Mon Sep 17 00:00:00 2001
From: Thulasiram <ramvalleru@users.noreply.github.com>
Date: Thu, 14 Jan 2021 03:18:06 +0530
Subject: [PATCH] aws_ssm signed url using v2 and thus aws_ssm generates
 incompatible curl request to download s3 object for ansible python (#352)

- AWS SDKs that were released before May 2016, request Signature Version 4
- fix generated url for aws s3 object for ansible python that executes ansible playbook usingh aws_ssm
---
 ...ix-aws-region-and-v4-signature-for-s3-boto-client.yml | 2 ++
 plugins/connection/aws_ssm.py                            | 9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/352-fix-aws-region-and-v4-signature-for-s3-boto-client.yml

diff --git a/changelogs/fragments/352-fix-aws-region-and-v4-signature-for-s3-boto-client.yml b/changelogs/fragments/352-fix-aws-region-and-v4-signature-for-s3-boto-client.yml
new file mode 100644
index 00000000000..8fe59379698
--- /dev/null
+++ b/changelogs/fragments/352-fix-aws-region-and-v4-signature-for-s3-boto-client.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - aws_ssm - fix the generation of CURL URL used to download Ansible Python file from S3 bucket by ```_get_url()``` due to due to non-assignment of aws region in the URL and not using V4 signature as specified for AWS S3 signature URL by ```_get_boto_client()``` in (https://github.com/ansible-collections/community.aws/pull/352). 
\ No newline at end of file
diff --git a/plugins/connection/aws_ssm.py b/plugins/connection/aws_ssm.py
index 94289eeef9f..c5fd3e22eef 100644
--- a/plugins/connection/aws_ssm.py
+++ b/plugins/connection/aws_ssm.py
@@ -162,7 +162,6 @@
 import os
 import getpass
 import json
-import os
 import pty
 import random
 import re
@@ -177,6 +176,7 @@
 except ImportError as e:
     HAS_BOTO_3_ERROR = str(e)
     HAS_BOTO_3 = False
+from botocore.client import Config
 
 from functools import wraps
 from ansible import constants as C
@@ -497,7 +497,8 @@ def _flush_stderr(self, subprocess):
 
     def _get_url(self, client_method, bucket_name, out_path, http_method):
         ''' Generate URL for get_object / put_object '''
-        client = self._get_boto_client('s3')
+        region_name = self.get_option('region') or 'us-east-1'
+        client = self._get_boto_client('s3', region_name)
         return client.generate_presigned_url(client_method, Params={'Bucket': bucket_name, 'Key': out_path}, ExpiresIn=3600, HttpMethod=http_method)
 
     def _get_boto_client(self, service, region_name=None):
@@ -515,7 +516,9 @@ def _get_boto_client(self, service, region_name=None):
             aws_access_key_id=aws_access_key_id,
             aws_secret_access_key=aws_secret_access_key,
             aws_session_token=aws_session_token,
-            region_name=region_name)
+            region_name=region_name,
+            config=Config(signature_version="s3v4")
+        )
         return client
 
     @_ssm_retry