Windows become fails when using aws_ssm connection

[PatrickV-code]

Summary

A similar issue has been reported on: ansible/ansible#67119
That is however on the main Ansible repo, while I have the feeling this is the more appropriate place.

In short, connection to Windows based EC2 instances using aws_ssm connection and using the become option of runas fails every job.
The job itself actually finishes, but as Powershell 5 adds additional wrapping with CLIXML information.
Which makes the output unreadable for Ansible.

adding the in the earlier mentioned issue does resolve the problem (the section that contains the CLIXML statement)

        def _post_process(self, stdout, mark_begin):
        ''' extract command status and strip unwanted lines '''

        if self.is_windows:
            # Value of $LASTEXITCODE will be the line after the mark
            trailer = stdout[stdout.rfind(mark_begin):]
            last_exit_code = trailer.splitlines()[1]
            if last_exit_code.isdigit:
                returncode = int(last_exit_code)
            else:
                returncode = -1
            # output to keep will be before the mark
            stdout = stdout[:stdout.rfind(mark_begin)]

            # If the return code contains #CLIXML (like a progress bar) remove it
            clixml_filter = re.compile(r'#<\sCLIXML\s<Objs.*</Objs>')
            stdout = clixml_filter.sub('', stdout)

            # If it looks like JSON remove any newlines
            if stdout.startswith('{'):
                stdout = stdout.replace('\n', '')

            return (returncode, stdout)

But as the posted on that item says, not sure what kind of possible side effects this causes......

Issue Type

Bug Report

Component Name

aws_ssm connection

Ansible Version

ansible [core 2.15.4]
config file = None
configured module search path = ['/Users//.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/8.4.0/libexec/lib/python3.11/site-packages/ansible
ansible collection location = /Users//.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.11.5 (main, Aug 24 2023, 15:09:45) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/opt/homebrew/Cellar/ansible/8.4.0/libexec/bin/python)
jinja version = 3.1.2
libyaml = True

Collection Versions

# /Users/<redacted>/.ansible/collections/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    6.4.0
cloud.terraform               1.1.1
community.aws                 6.3.0

# /opt/homebrew/Cellar/ansible/8.4.0/libexec/lib/python3.11/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    6.4.0
ansible.netcommon             5.2.0
ansible.posix                 1.5.4
ansible.utils                 2.11.0
ansible.windows               1.14.0
arista.eos                    6.1.0
awx.awx                       22.7.0
azure.azcollection            1.17.0
check_point.mgmt              5.1.1
chocolatey.chocolatey         1.5.1
cisco.aci                     2.7.0
cisco.asa                     4.0.1
cisco.dnac                    6.7.4
cisco.intersight              1.0.27
cisco.ios                     4.6.1
cisco.iosxr                   5.0.3
cisco.ise                     2.5.15
cisco.meraki                  2.16.0
cisco.mso                     2.5.0
cisco.nso                     1.0.3
cisco.nxos                    4.4.0
cisco.ucs                     1.10.0
cloud.common                  2.1.4
cloudscale_ch.cloud           2.3.1
community.aws                 6.3.0
community.azure               2.0.0
community.ciscosmb            1.0.6
community.crypto              2.15.1
community.digitalocean        1.24.0
community.dns                 2.6.1
community.docker              3.4.8
community.fortios             1.0.0
community.general             7.4.0
community.google              1.0.0
community.grafana             1.5.4
community.hashi_vault         5.0.0
community.hrobot              1.8.1
community.libvirt             1.2.0
community.mongodb             1.6.1
community.mysql               3.7.2
community.network             5.0.0
community.okd                 2.3.0
community.postgresql          2.4.3
community.proxysql            1.5.1
community.rabbitmq            1.2.3
community.routeros            2.9.0
community.sap                 1.0.0
community.sap_libs            1.4.1
community.skydive             1.0.0
community.sops                1.6.5
community.vmware              3.9.0
community.windows             1.13.0
community.zabbix              2.1.0
containers.podman             1.10.3
cyberark.conjur               1.2.0
cyberark.pas                  1.0.19
dellemc.enterprise_sonic      2.2.0
dellemc.openmanage            7.6.1
dellemc.powerflex             1.8.0
dellemc.unity                 1.7.1
f5networks.f5_modules         1.26.0
fortinet.fortimanager         2.2.1
fortinet.fortios              2.3.2
frr.frr                       2.0.2
gluster.gluster               1.0.2
google.cloud                  1.2.0
grafana.grafana               2.1.8
hetzner.hcloud                1.16.0
hpe.nimble                    1.1.4
ibm.qradar                    2.1.0
ibm.spectrum_virtualize       1.12.0
infinidat.infinibox           1.3.12
infoblox.nios_modules         1.5.0
inspur.ispim                  1.3.0
inspur.sm                     2.3.0
junipernetworks.junos         5.3.0
kubernetes.core               2.4.0
lowlydba.sqlserver            2.2.1
microsoft.ad                  1.3.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.22.0
netapp.elementsw              21.7.0
netapp.ontap                  22.7.0
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0
netapp_eseries.santricity     1.4.0
netbox.netbox                 3.14.0
ngine_io.cloudstack           2.3.0
ngine_io.exoscale             1.1.0
ngine_io.vultr                1.1.3
openstack.cloud               2.1.0
openvswitch.openvswitch       2.1.1
ovirt.ovirt                   3.1.3
purestorage.flasharray        1.21.0
purestorage.flashblade        1.13.1
purestorage.fusion            1.6.0
sensu.sensu_go                1.14.0
servicenow.servicenow         1.0.6
splunk.es                     2.1.0
t_systems_mms.icinga_director 1.33.1
telekom_mms.icinga_director   1.34.1
theforeman.foreman            3.14.0
vmware.vmware_rest            2.3.1
vultr.cloud                   1.9.0
vyos.vyos                     4.1.0
wti.remote                    1.0.5

AWS SDK versions

latest aws client installed via brew.. not using pip

Configuration

CONFIG_FILE() = None
PAGER(env: PAGER) = less

OS / Environment

Target OS version = Windows Server 2022
AWS EC2 Instance
PowerShell 5 installed on target system (default version)

Steps to Reproduce

---
- name: Windows Testing
  hosts: member_servers
  vars:
    ansible_become_user: 'svc_ansible@{{ win_domain_name }}'
    ansible_runas_password: '{{ svc_ansible_password }}'
    ansible_become_method: ansible.builtin.runas

  vars_files:
    - variables/ansible-all-vars.json

  tasks:
    - name: Run WhoAmI
      ansible.windows.win_whoami:
      become: true
      register: become_value

    - name: Debug
      ansible.builtin.debug:
        var: become_value

Expected Results

Expected result was that who am I would return the correct output.

As shown in the expected results, the task actually completes, but due to unhandled wrapping it fails.

Actual Results

fatal: [i-0239e06c7f985e040]: FAILED! => {"changed": false, "module_stderr": "", "module_stdout": "{\"changed\":false,\"invocation\":{\"module_args\":{}},\"logon_id\":13770065,\"account\":{\"domain_name\":\"<redacted\",\"sid\":\"S-1-5-21-79238050-3557252883-818722371-1104\",\"account_name\":\"svc_ansible\",\"type\":\"User\"},\"login_domain\":\"<redacted>\",\"authentication_package\":\"Kerberos\",\"logon_type\":\"Batch\",\"login_time\":\"2023-09-21T21:05:14.8836717+00:00\",\"logon_server\":\"DC02\",\"dns_domain_name\":\"<redacted>.LOCAL\",\"upn\":\"svc_ansible@<redacted>.local\",\"user_flags\":[],\"impersonation_level\":\"SecurityAnonymous\",\"token_type\":\"TokenPrimary\",\"groups\":[{\"account_name\":\"Domain Users\",\"domain_name\":\"<redacted>\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-5-21-79238050-3557252883-818722371-513\",\"type\":\"Group\"},{\"account_name\":\"Everyone\",\"domain_name\":\"\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-1-0\",\"type\":\"WellKnownGroup\"},{\"account_name\":\"Users\",\"domain_name\":\"BUILTIN\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-5-32-545\",\"type\":\"Alias\"},{\"account_name\":\"Administrators\",\"domain_name\":\"BUILTIN\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\",\"Owner\"],\"sid\":\"S-1-5-32-544\",\"type\":\"Alias\"},{\"account_name\":\"BATCH\",\"domain_name\":\"NTAUTHORITY\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-5-3\",\"type\":\"WellKnownGroup\"},{\"account_name\":\"CONSOLE LOGON\",\"domain_name\":\"\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-2-1\",\"type\":\"WellKnownGroup\"},{\"account_name\":\"Authenticated Users\",\"domain_name\":\"NT AUTHORITY\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-5-11\",\"type\":\"WellKnownGroup\"},{\"account_name\":\"This Organization\",\"domain_name\":\"NT AUTHORITY\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-5-15\",\"type\":\"WellKnownGroup\"},{\"account_name\":\"LOCAL\",\"domain_name\":\"\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-2-0\",\"type\":\"WellKnownGroup\"},{\"account_name\":\"Domain Admins\",\"domain_name\":\"<redacted>\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-5-21-79238050-3557252883-818722371-512\",\"type\":\"Group\"},{\"account_name\":\"Service asserted identity\",\"domain_name\":\"\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\"],\"sid\":\"S-1-18-2\",\"type\":\"WellKnownGroup\"},{\"account_name\":\"Denied RODC Password Replication Group\",\"domain_name\":\"<redacted>\",\"attributes\":[\"Mandatory\",\"Enabled by default\",\"Enabled\",\"Resource\"],\"sid\":\"S-1-5-21-79238050-3557252883-818722371-572\",\"type\":\"Alias\"},{\"account_name\":\"High Mandatory Level\",\"domain_name\":\"Mandatory Label\",\"attributes\":[\"Integrity\",\"Integrity enabled\"],\"sid\":\"S-1-16-12288\",\"type\":\"Label\"}],\"rights\":[\"SeNetworkLogonRight\",\"SeInteractiveLogonRight\",\"SeBatchLogonRight\",\"SeRemoteInteractiveLogonRight\"],\"label\":{\"domain_name\":\"Mandatory Label\",\"sid\":\"S-1-16-12288\",\"account_name\":\"High Mandatory Level\",\"type\":\"Label\"},\"privileges\":{\"SeChangeNotifyPrivilege\":\"enabled-by-default\",\"SeRemoteShutdownPrivilege\":\"disabled\",\"SeBackupPrivilege\":\"disabled\",\"SeLoadDriverPrivilege\":\"disabled\",\"SeSystemProfilePrivilege\":\"disabled\",\"SeShutdownPrivilege\":\"disabled\",\"SeCreatePagefilePrivilege\":\"disabled\",\"SeSystemEnvironmentPrivilege\":\"disabled\",\"SeSystemtimePrivilege\":\"disabled\",\"SeSecurityPrivilege\":\"disabled\",\"SeDelegateSessionUserImpersonatePrivilege\":\"disabled\",\"SeIncreaseWorkingSetPrivilege\":\"disabled\",\"SeTakeOwnershipPrivilege\":\"disabled\",\"SeIncreaseQuotaPrivilege\":\"disabled\",\"SeCreateGlobalPrivilege\":\"enabled-by-default\",\"SeCreateSymbolicLinkPrivilege\":\"disabled\",\"SeRestorePrivilege\":\"disabled\",\"SeUndockPrivilege\":\"disabled\",\"SeImpersonatePrivilege\":\"enabled-by-default\",\"SeProfileSingleProcessPrivilege\":\"disabled\",\"SeDebugPrivilege\":\"enabled\",\"SeIncreaseBasePriorityPrivilege\":\"disabled\",\"SeManageVolumePrivilege\":\"disabled\",\"SeTimeZonePrivilege\":\"disabled\"}}#< CLIXML<Objs Version=\"1.1.0.1\" xmlns=\"http://schemas.microsoft.com/powershell/2004/04\"><Obj S=\"progress\" RefId=\"0\"><TN RefId=\"0\"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N=\"SourceId\">1</I64><PR N=\"Record\"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj><Obj S=\"progress\" RefId=\"1\"><TNRef RefId=\"0\" /><MS><I64 N=\"SourceId\">2</I64><PR N=\"Record\"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 0}

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[abikouo]

@PatrickV-code I am not sure if I missed something, but I have created a new user and add it to the administrators group to allow default SSM user ssm-user to login with

New-LocalUser -Name ansible (will prompt for password)
Get-LocalGroupMember -Group "Administrators"

Then I ran the following playbook

- name: Copy and Run script into SSM
  hosts: aws_ssm
  gather_facts: false

  vars:
    ansible_become_method: ansible.builtin.runas
    ansible_become_user: ansible
    ansible_runas_password: <redacted>

  tasks:
    - name: Run WhoAmI
      ansible.windows.win_command:
        cmd: whoami
      become: true
      register: become_value

    - name: Debug
      ansible.builtin.debug:
        var: become_value

with the following inventory file

[aws_ssm_linux]

[aws_ssm_windows]
windows_i-02e5736e0485c64ac ansible_aws_ssm_instance_id=i-02e5736e0485c64ac ansible_aws_ssm_region=eu-west-2

[aws_ssm_linux:vars]
remote_tmp=/tmp/ansible-remote
action_prefix=ansible.builtin.

[aws_ssm_windows:vars]
ansible_shell_type=powershell
remote_tmp=c:/windows/temp/ansible-remote
action_prefix=ansible.windows.win_

[aws_ssm:children]
aws_ssm_linux
aws_ssm_windows

[aws_ssm:vars]
ansible_connection=community.aws.aws_ssm
ansible_aws_ssm_plugin=/usr/local/sessionmanagerplugin/bin/session-manager-plugin
ansible_python_interpreter=/usr/bin/python3
local_tmp=/tmp/ansible-local-aa0484bcd96a
ansible_aws_ssm_bucket_name=cf-templates-m0nzeh7sv334-us-west-2

# support tests that target testhost
[testhost:children]
aws_ssm

The output is as expected

TASK [Run WhoAmI] **************************************************************************************************************************************************************************************************************************
changed: [windows_i-02e5736e0485c64ac] => {"changed": true, "cmd": "whoami", "delta": "0:00:00.190095", "end": "2025-02-14 14:23:21.505251", "rc": 0, "start": "2025-02-14 14:23:21.315156", "stderr": "", "stderr_lines": [], "stdout": "ec2amaz-c9uoldn\\ansible\r\n", "stdout_lines": ["ec2amaz-c9uoldn\\ansible"]}

TASK [Debug] *******************************************************************************************************************************************************************************************************************************
ok: [windows_i-02e5736e0485c64ac] => {
    "become_value": {
        "changed": true,
        "cmd": "whoami",
        "delta": "0:00:00.190095",
        "end": "2025-02-14 14:23:21.505251",
        "failed": false,
        "rc": 0,
        "start": "2025-02-14 14:23:21.315156",
        "stderr": "",
        "stderr_lines": [],
        "stdout": "ec2amaz-c9uoldn\\ansible\r\n",
        "stdout_lines": [
            "ec2amaz-c9uoldn\\ansible"
        ]
    }
}

PLAY RECAP *********************************************************************************************************************************************************************************************************************************
windows_i-02e5736e0485c64ac : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

My EC2 instance is running on Windows server 2022 and I am running with the main branch of the collection