Understanding EC2 credentials when provisioning server

Question

I'm using Ansible to provision EC2 servers. Here's what I've got so far:

- name: Launch instances
      local_action:
        module: ec2
        key_name: my-key
        aws_access_key: ***
        aws_secret_key: ***
        region: us-west-1
        group: management
        instance_type: m1.small
        image: ami-8635a9b6
        count: 2
        wait: yes
      register: ec2

But I am not authenticating:

You are not authorized to perform this operation.

I imagine its because I don't fully comprehend how the credentials work. I can see in the EC2 console that my-key is the key name for the instance I'm running in (the ansible server), and I know the access_key and secret_key are correct.

I think this is more my not understanding the key_name/keypair and how it works/how to install it, rather than anything related directly to ansible.

---

Or perhaps this has more to do with the user. I'm running the script as root.

---

Here is the log:

TASK: [Launch instances] ******************************************************
<127.0.0.1> REMOTE_MODULE ec2 image=ami-8635a9b6 ec2_secret_key=*** ec2_access_key=*** instance_type=m1.small region=us-west-1 key_name=ca-management group=management
<127.0.0.1> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1417702041.0-138277713680589 && echo $HOME/.ansible/tmp/ansible-tmp-1417702041.0-138277713680589']
<127.0.0.1> PUT /tmp/tmpFgUh1O TO /root/.ansible/tmp/ansible-tmp-1417702041.0-138277713680589/ec2
<127.0.0.1> EXEC ['/bin/sh', '-c', u'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1417702041.0-138277713680589/ec2; rm -rf /root/.ansible/tmp/ansible-tmp-1417702041.0-138277713680589/ >/dev/null 2>&1']
failed: [127.0.0.1 -> 127.0.0.1] => {"failed": true, "parsed": false}
Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1417702041.0-138277713680589/ec2", line 2959, in <module>
    main()
  File "/root/.ansible/tmp/ansible-tmp-1417702041.0-138277713680589/ec2", line 1191, in main
    (instance_dict_array, new_instance_ids, changed) = create_instances(module, ec2)
  File "/root/.ansible/tmp/ansible-tmp-1417702041.0-138277713680589/ec2", line 761, in create_instances
    grp_details = ec2.get_all_security_groups()
  File "/usr/lib/python2.6/site-packages/boto/ec2/connection.py", line 2969, in get_all_security_groups
    [('item', SecurityGroup)], verb='POST')
  File "/usr/lib/python2.6/site-packages/boto/connection.py", line 1182, in get_list
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>f3b9044b-9f41-44dd-9d5e-b7b13215c14a</RequestID></Response>


FATAL: all hosts have already failed -- aborting

---

embarassingly, it turned out IT gave me the wrong user. Switched to correct user with permissions and voila, it worked. Keeping the question for the useful answers below.

Answer 1

  local_action:
    module: ec2
    ec2_access_key: ***
    ec2_secret_key: ***

This varies from what the documentation says. Here are the proper key names.

  local_action:
    module: ec2
    aws_access_key: ***
    aws_secret_key: ***

Answer 2

The error You are not authorized to perform this operation. is a result of the access/privileges you have been assigned in AWS IAM. I am not sure about the ansible part, however, check what permission/policy is allowed/denied on your username in your AWS account.

Also, you can try launching an instance from AWS console and you will receive similar error there as well.