Ansible & AWS SSM连接/插件&“密文是指不存在的客户主密钥”

Question

谁能得到ansible的：ansible_connection: aws_ssm在工作吗？

这应该是ssh：https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ssm_connection.html的替换量下降了。

我的剧本与ssh一起运行，而不是ssm：

---
- name: Test command
  gather_facts: false
  hosts: all
  vars:
    ansible_connection: ssh
#    ansible_connection: aws_ssm   <--- this one no worky
    ansible_aws_ssm_region: eu-central-1

  tasks:
    - name: test
      command:
        cmd: ls -l

使用以下方法运行：

ansible-playbook -i inventory_aws_ec2.yml --limit nghc-sbox2-bastion test.yml -vvvv

我在ansible SSM配置中遗漏了一些东西。错误是：(来自/var/log/amazon/ssm/amazon-ssm-agent.log)

2021-08-10 23:48:51 INFO ssm-session-worker DataBackend启动握手2021-08-10 23:48:54错误ssm-会话DataBackend获取数据密钥失败:无法检索数据密钥，解密数据密钥时出错AccessDeniedException:密文引用的是不存在的客户主密钥，在此区域不存在，或者您不允许访问。

ansible输出不再有帮助了：

<i-0c208bc6d31fa6bf1> EXEC stdout line:
<i-0c208bc6d31fa6bf1> EXEC stdout line: Starting session with SessionId: bruce.edge@xxx.com-0f7b6c9323afa74bc
<i-0c208bc6d31fa6bf1> EXEC remaining: 60
<i-0c208bc6d31fa6bf1> EXEC remaining: 59
<i-0c208bc6d31fa6bf1> EXEC stdout line:
<i-0c208bc6d31fa6bf1> EXEC stdout line:
<i-0c208bc6d31fa6bf1> EXEC stdout line: SessionId: bruce.edge@xxx.com-0f7b6c9323afa74bc :
<i-0c208bc6d31fa6bf1> EXEC stdout line: ----------ERROR-------
<i-0c208bc6d31fa6bf1> EXEC stdout line: Encountered error while initiating handshake. Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
<i-0c208bc6d31fa6bf1> EXEC stdout line:         status code: 400, request id: 53549e47-03a1-4a1f-8f30-8f0c27482cc5
<i-0c208bc6d31fa6bf1> EXEC stdout line:
<i-0c208bc6d31fa6bf1> EXEC stdout line:
<i-0c208bc6d31fa6bf1> ssm_retry: attempt: 0, caught exception(local variable 'returncode' referenced before assignment) from cmd (echo ~...), pausing for 0 seconds
<i-0c208bc6d31fa6bf1> CLOSING SSM CONNECTION TO: i-0c208bc6d31fa6bf1
<i-0c208bc6d31fa6bf1> TERMINATE SSM SESSION: bruce.edge@xxx.com-0f7b6c9323afa74bc
<i-0c208bc6d31fa6bf1> ESTABLISH SSM CONNECTION TO: i-0c208bc6d31fa6bf1
<i-0c208bc6d31fa6bf1> SSM COMMAND: ['/usr/local/bin/session-manager-plugin', '{"SessionId": "bruce.edge@xxx.com-0d95f1030d63fa155", "TokenValue": "......Gsoj8bEu3d9s=", "StreamUrl": "wss://ssmmessages.eu-central-1.amazonaws.com/v1/data-channel/bruce.edge@xxx.com-0d95f1030d63fa155?role=publish_subscribe", "ResponseMetadata": {"RequestId": "8d20fbe9-d3d2-44e7-a832-a1d4d86861a9", "HTTPStatusCode": 200, "HTTPHeaders": {"server": "Server", "date": "Wed, 11 Aug 2021 00:43:13 GMT", "content-type": "application/x-amz-json-1.1", "content-length": "651", "connection": "keep-alive", "x-amzn-requestid": "8d20fbe9-d3d2-44e7-a832-a1d4d86861a9"}, "RetryAttempts": 0}}', 'eu-central-1', 'StartSession', '', '{"Target": "i-0c208bc6d31fa6bf1"}', 'https://ssm.eu-central-1.amazonaws.com']
<i-0c208bc6d31fa6bf1> SSM CONNECTION ID: bruce.edge@xxx.com-0d95f1030d63fa155
<i-0c208bc6d31fa6bf1> EXEC echo ~
<i-0c208bc6d31fa6bf1> _wrap_command: 'echo QTPJHrIizAXitS...

我的SSM是为其他功能正确设置的。我能够在ssm上执行ssh并通过ssm运行远程游戏，只是不使用：ansible_connection: aws_ssm连接机制。

Answer 1

不要禁用KMS加密，因为一些SSM服务不能工作。

正确的解决方案是转到密钥管理服务(KMS)，选择客户管理密钥并选择正在使用的密钥。

在这里，您可以将EC2实例作为用户使用的角色添加到该键中。

​

​

Answer 2

禁用SSM配置中的KMS加密解决了以下问题：

(AWS控制台->系统管理器->会话管理器-> preferences选项卡)

​

​

• 增编re: KMS可能是合理的，而缺少适当的错误消息只是极具误导性，请参阅AWS文档：https://aws.amazon.com/premiumsupport/knowledge-center/ssm-session-manager-failures/ ie:应该启用KMS，只需要使错误用户和目标都可以访问键，这一点在考虑它时是很明显的。只是从错误中看不出来。没有测试过

还有..。需要重新配置破折号，使其不是默认的：

sudo dpkg-reconfigure dash

或者，对于不可接受的粉丝：

# See "/var/cache/debconf/config.dat" for name of config item after changing manually
- name: aws-ssm ansible plugin fails if dash is the default shell
  ansible.builtin.debconf:
    name: dash/sh
    question: dash/sh
    value: false
    vtype: boolean