Ansible EC2 - Adding tag fails

Question

Here's my Ansible config. Creating the instances succeeds, while creating the tag fails with not-authorized.

- name: Launch instances
  local_action:
    module: ec2
    key_pair: ***
    aws_access_key: ***
    aws_secret_key: ***
    region: us-west-1
    group: management
    instance_type: t2.micro
    image: ami-4b6f650e
    count: 1
    wait: yes
  register: cass_ec2

- name: Add tag to instances
  local_action: ec2_tag resource={{ item.id }} region=us-west-1 state=present
  with_items: cass_ec2.instances
  args:
    tags:
      Name: cass

Here's the verbose log output (you'll notice there's some extra debugging tasks in there):

PLAY [Create EC2 instances] ***************************************************

GATHERING FACTS ***************************************************************
<127.0.0.1> REMOTE_MODULE setup
<127.0.0.1> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1417758893.04-222173823538476 && echo $HOME/.ansible/tmp/ansible-tmp-1417758893.04-222173823538476']
<127.0.0.1> PUT /tmp/tmpmCO5CM TO /root/.ansible/tmp/ansible-tmp-1417758893.04-222173823538476/setup
<127.0.0.1> EXEC ['/bin/sh', '-c', u'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1417758893.04-222173823538476/setup; rm -rf /root/.ansible/tmp/ansible-tmp-1417758893.04-222173823538476/ >/dev/null 2>&1']
ok: [127.0.0.1]

TASK: [Launch instances] ******************************************************
<127.0.0.1> REMOTE_MODULE ec2 image=ami-4b6f650e instance_type=t2.micro region=us-west-1 key_name=*** group=management aws_access_key=*** aws_secret_key=***
<127.0.0.1> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1417758893.15-226452098628285 && echo $HOME/.ansible/tmp/ansible-tmp-1417758893.15-226452098628285']
<127.0.0.1> PUT /tmp/tmpkrya1K TO /root/.ansible/tmp/ansible-tmp-1417758893.15-226452098628285/ec2
<127.0.0.1> EXEC ['/bin/sh', '-c', u'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1417758893.15-226452098628285/ec2; rm -rf /root/.ansible/tmp/ansible-tmp-1417758893.15-226452098628285/ >/dev/null 2>&1']
changed: [127.0.0.1 -> 127.0.0.1] => {"changed": true, "instance_ids": ["i-fdacfe37"], "instances": [{"ami_launch_index": "0", "architecture": "x86_64", "dns_name": "***", "ebs_optimized": false, "hypervisor": "xen", "id": "i-fdacfe37", "image_id": "ami-4b6f650e", "instance_type": "t2.micro", "kernel": null, "key_name": "***", "launch_time": "2014-12-05T05:54:53.000Z", "placement": "us-west-1c", "private_dns_name": "***", "private_ip": "172.31.5.168", "public_dns_name": "***", "public_ip": "***", "ramdisk": null, "region": "us-west-1", "root_device_name": "/dev/xvda", "root_device_type": "ebs", "state": "running", "state_code": 16, "virtualization_type": "hvm"}], "tagged_instances": []}

TASK: [debug var=cass_ec2] ****************************************************
ok: [127.0.0.1] => {
    "cass_ec2": {
        "changed": true,
        "instance_ids": [
            "i-fdacfe37"
        ],
        "instances": [
            {
                "ami_launch_index": "0",
                "architecture": "x86_64",
                "dns_name": "***",
                "ebs_optimized": false,
                "hypervisor": "xen",
                "id": "i-fdacfe37",
                "image_id": "ami-4b6f650e",
                "instance_type": "t2.micro",
                "kernel": null,
                "key_name": "***",
                "launch_time": "2014-12-05T05:54:53.000Z",
                "placement": "us-west-1c",
                "private_dns_name": "***",
                "private_ip": "****",
                "public_dns_name": "***",
                "public_ip": "***",
                "ramdisk": null,
                "region": "us-west-1",
                "root_device_name": "/dev/xvda",
                "root_device_type": "ebs",
                "state": "running",
                "state_code": 16,
                "virtualization_type": "hvm"
            }
        ],
        "invocation": {
            "module_args": "",
            "module_name": "ec2"
        },
        "tagged_instances": []
    }
}

TASK: [debug var=item] ********************************************************
ok: [127.0.0.1] => (item=i-fdacfe37) => {
    "item": "i-fdacfe37"
}

TASK: [output the IPs] ********************************************************
ok: [127.0.0.1] => (item={u'ramdisk': None, u'kernel': None, u'root_device_type': u'ebs', u'private_dns_name': u'***', u'key_name': u'***', u'public_ip': u'***', u'image_id': u'ami-4b6f650e', u'private_ip': u'***', u'public_dns_name': u'***', u'state_code': 16, u'id': u'i-fdacfe37', u'placement': u'us-west-1c', u'ami_launch_index': u'0', u'dns_name': u'***', u'region': u'us-west-1', u'ebs_optimized': False, u'launch_time': u'2014-12-05T05:54:53.000Z', u'instance_type': u't2.micro', u'state': u'running', u'root_device_name': u'/dev/xvda', u'hypervisor': u'xen', u'virtualization_type': u'hvm', u'architecture': u'x86_64'}) => {
    "item": {
        "ami_launch_index": "0",
        "architecture": "x86_64",
        "dns_name": "***",
        "ebs_optimized": false,
        "hypervisor": "xen",
        "id": "i-fdacfe37",
        "image_id": "ami-4b6f650e",
        "instance_type": "t2.micro",
        "kernel": null,
        "key_name": "***",
        "launch_time": "2014-12-05T05:54:53.000Z",
        "placement": "us-west-1c",
        "private_dns_name": "***",
        "private_ip": "***",
        "public_dns_name": "***",
        "public_ip": "***",
        "ramdisk": null,
        "region": "us-west-1",
        "root_device_name": "/dev/xvda",
        "root_device_type": "ebs",
        "state": "running",
        "state_code": 16,
        "virtualization_type": "hvm"
    },
    "msg": "Allocated IP inside the VPC is ***"
}

TASK: [Add instances to host group] *******************************************
creating host via 'add_host': hostname=***
added host to group via add_host module: cassandra-group
ok: [127.0.0.1 -> 127.0.0.1] => (item={u'ramdisk': None, u'kernel': None, u'root_device_type': u'ebs', u'private_dns_name': u'ip-172-31-5-168.us-west-1.compute.internal', u'key_name': u'***', u'public_ip': u'***', u'image_id': u'ami-4b6f650e', u'private_ip': u'****', u'public_dns_name': u'****', u'state_code': 16, u'id': u'i-fdacfe37', u'placement': u'us-west-1c', u'ami_launch_index': u'0', u'dns_name': u'***', u'region': u'us-west-1', u'ebs_optimized': False, u'launch_time': u'2014-12-05T05:54:53.000Z', u'instance_type': u't2.micro', u'state': u'running', u'root_device_name': u'/dev/xvda', u'hypervisor': u'xen', u'virtualization_type': u'hvm', u'architecture': u'x86_64'}) => {"item": {"ami_launch_index": "0", "architecture": "x86_64", "dns_name": "***", "ebs_optimized": false, "hypervisor": "xen", "id": "i-fdacfe37", "image_id": "ami-4b6f650e", "instance_type": "t2.micro", "kernel": null, "key_name": "ca-management", "launch_time": "2014-12-05T05:54:53.000Z", "placement": "us-west-1c", "private_dns_name": "***", "private_ip": "***", "public_dns_name": "***", "public_ip": "***", "ramdisk": null, "region": "us-west-1", "root_device_name": "/dev/xvda", "root_device_type": "ebs", "state": "running", "state_code": 16, "virtualization_type": "hvm"}, "new_groups": ["cassandra-group"], "new_host": "***"}

TASK: [Add tag to instances] **************************************************
<127.0.0.1> REMOTE_MODULE ec2_tag resource=i-fdacfe37 region=us-west-1 state=present
<127.0.0.1> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1417758914.6-211103876549611 && echo $HOME/.ansible/tmp/ansible-tmp-1417758914.6-211103876549611']
<127.0.0.1> PUT /tmp/tmpkxVlkf TO /root/.ansible/tmp/ansible-tmp-1417758914.6-211103876549611/ec2_tag
<127.0.0.1> EXEC ['/bin/sh', '-c', u'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1417758914.6-211103876549611/ec2_tag; rm -rf /root/.ansible/tmp/ansible-tmp-1417758914.6-211103876549611/ >/dev/null 2>&1']
failed: [127.0.0.1 -> 127.0.0.1] => (item={u'ramdisk': None, u'kernel': None, u'root_device_type': u'ebs', u'private_dns_name': u'***', u'key_name': u'***', u'public_ip': u'54.67.49.10', u'image_id': u'ami-4b6f650e', u'private_ip': u'***', u'public_dns_name': u'***', u'state_code': 16, u'id': u'i-fdacfe37', u'placement': u'us-west-1c', u'ami_launch_index': u'0', u'dns_name': u'***', u'region': u'us-west-1', u'ebs_optimized': False, u'launch_time': u'2014-12-05T05:54:53.000Z', u'instance_type': u't2.micro', u'state': u'running', u'root_device_name': u'/dev/xvda', u'hypervisor': u'xen', u'virtualization_type': u'hvm', u'architecture': u'x86_64'}) => {"failed": true, "item": {"ami_launch_index": "0", "architecture": "x86_64", "dns_name": "***", "ebs_optimized": false, "hypervisor": "xen", "id": "i-fdacfe37", "image_id": "ami-4b6f650e", "instance_type": "t2.micro", "kernel": null, "key_name": "***", "launch_time": "2014-12-05T05:54:53.000Z", "placement": "us-west-1c", "private_dns_name": "***", "private_ip": "***", "public_dns_name": "e***", "public_ip": "***", "ramdisk": null, "region": "us-west-1", "root_device_name": "/dev/xvda", "root_device_type": "ebs", "state": "running", "state_code": 16, "virtualization_type": "hvm"}, "parsed": false}
Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1417758914.6-211103876549611/ec2_tag", line 1905, in <module>
    main()
  File "/root/.ansible/tmp/ansible-tmp-1417758914.6-211103876549611/ec2_tag", line 102, in main
    gettags = ec2.get_all_tags(filters=filters)
  File "/usr/lib/python2.6/site-packages/boto/ec2/connection.py", line 4178, in get_all_tags
    [('item', Tag)], verb='POST')
  File "/usr/lib/python2.6/site-packages/boto/connection.py", line 1182, in get_list
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>7174c8d9-82fb-4560-9766-60ef119eaf7b</RequestID></Response>


FATAL: all hosts have already failed -- aborting

Answer 1

Turns out I needed to specify the access and secret keys for the tag task also:

- name: Add tag to instances
  local_action: ec2_tag resource={{ item.id }} region=us-west-1 state=present aws_access_key=*** aws_secret_key=***
  with_items: cass_ec2.instances
  args:
    tags:
      Name: cass

Either that or specify them in the env. variables.

Answer 2

API 403 errors from AWS are a strong indication of IAM role problems. In this case, you are missing CreateTags or DescribeTags. If you have those permissions, look at DeleteTags and also at the Resource and Conditions that are specified.

There are some other errors that will return a 403, but UnauthorizedOperation is the keyword in your result.