
Reputation: 1879

Packer | Ansible | NoCredentialsError: Unable to locate credentials

I am trying to execute ansible script via Packer to Obtain EFS facts. Within my packer.json I am passing AWS_ACCESS_KEY_ID/KEY/TOKEN. My facts.yml works fine if I execute it individually by passing -sts_assume_role in my code.

As suggested by @error404 I have added sts_assume_role task and received updated logs to the question.


# Get all RDS instances

- sts_assume_role:
    region: "central"
    role_arn: "arn:aws:iam::12345678919:role/jenkins"
    role_session_name: "ansible-connect"
  register: assumed_role

- name: Obtain all EFS facts
    aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
    aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
    security_token: "{{ assumed_role.sts_creds.session_token }}"
    region: "eu-central-1"
  register: airflow_efs_facts

- debug:
    var: airflow_efs_facts.ansible_facts.efs[0].filesystem_address

my packer.json

  "variables": {
    "aws_region": "eu-central-1",
    "kms_key_id": "{{env `KEY`}}",
    "aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
    "aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
    "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}",
    "subnet_id": "{{env `SUBNET`}}",
    "vpc_id": "{{env `VPC`}}"
  "builders": [
      "type": "amazon-ebs",
      "access_key": "{{user `aws_access_key`}}",
      "secret_key": "{{user `aws_secret_key`}}",
      "token": "{{user `aws_session_token`}}",
      "region": "{{user `aws_region`}}",
      "vpc_id": "{{user `vpc_id`}}",
      "subnet_id": "{{user `subnet_id`}}",

      "source_ami_filter": {
        "filters": {
            "name": "ec2-*",
            "virtualization-type": "hvm",
            "root-device-type": "ebs"
        "owners": "self",
        "most_recent": true
      "encrypt_boot": "true",
      "kms_key_id": "{{user `kms_key_id`}}",
      "instance_type": "t2.large",
      "ssh_username": "ec2-user",
      "ami_block_device_mappings": [
          "device_name": "/dev/xvda",
          "volume_size": 20,
          "volume_type": "gp2",
          "delete_on_termination": true
      "launch_block_device_mappings": [
            "device_name": "/dev/xvda",
            "volume_size": 20,
            "volume_type": "gp2",
            "delete_on_termination": true
      "ami_description": "Master AMI to be used to build Server",
      "ami_name": "master-{{isotime \"2006-01-02\"}}",
      "tags": {
        "Name": "master-baseline",
        "ami_version": "{{isotime \"2006-01-02\"}}",
        "ami_cis_benchmark_version": "1.0.0",
        "ami_os": "amazon"
  "provisioners": [
      "inline": [
        "sudo yum -y install bzip2 python-pip vim wget curl mlocate unzip git  java-1.8.0-openjdk-devel java-1.8.0-openjdk jq",
        "sudo updatedb",
        "sudo pip install ansible",
        "sudo yum -y install python3 python3-pip python3-devel python3-setuptools",
        "sudo yum -y update"
      "type": "shell"
      "type": "ansible-local",
      "playbook_file": "ansible/plays/install.yml",
      "role_paths": [

Below is the error message:

[0;32m amazon-ebs: TASK [roles/airflow-master : sts_assume_role] **********************************[0m [0;32m amazon-ebs: [0;31mAn exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.NoCredentialsError: Unable to locate credentials[0m[0m [0;32m amazon-ebs: [0;31mfatal: []: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File "/home/ec2-user/.ansible/tmp/ansible-tmp-1560349713.84-28986519228608/", line 114, in \n _ansiballz_main()\n File "/home/ec2-user/.ansible/tmp/ansible-tmp-1560349713.84-28986519228608/", line 106, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/home/ec2-user/.ansible/tmp/ansible-tmp-1560349713.84-28986519228608/", line 49, in invoke_module\n

Upvotes: 0

Views: 1718

Answers (1)

Rickard von Essen
Rickard von Essen

Reputation: 4298

Within my packer.json I am passing AWS_ACCESS_KEY_ID/KEY/TOKEN

You are just setting these as Packer user variables. This only means that packer can access them in the template with {{user `aws_access_key`}}.

A good way to solve this is to create an EC2 Instance Profile which is authorised to access the EFS api and reference it with iam_instance_profile.

Upvotes: 0

Related Questions