AWS IAM role and policy assume_role_policy_document not parsing json

Archives Ansible Project
1

Hi,

I’ve been struggling to get IAM policy and IAM role working properly,
These are the two modules with the issues:

http://docs.ansible.com/ansible/iam_policy_module.html

http://docs.ansible.com/ansible/iam_role_module.html#examples

IAM_ROLE is where the issue happens:
when creating a IAM_policy works and it accepts a policy_json file, with no issues.
next step is to create IAM_role and assotate that policy with the role and add a “Trust relationship” as AWS calls it. this is passed as a small json file but fails at assume_role_policy_document:
The Json is very simple,
{“Version”: “2008-10-17”,“Statement”: [{“Effect”: “Allow”,“Principal”: {“Service”: “ec2.amazonaws.com”},“Action”: “sts:AssumeRole”}]}

task config:

  • name: Create IAM Role with policy
    iam_role:
    name: “iamrole-{{ aws_deploy_stage }}-{{ aws_deployment_tag }}”
    state: present
    assume_role_policy_document: “{{ lookup(‘file’.'…/templates/role-trust-policy-document.json) }}”
    managed_policy:
  • arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
  • arn:aws:iam::aws:policy/AWSXrayFullAccess
  • “policy-{{ aws_deploy_stage }}-{{ aws_deployment_name }}”

fatal: [localhost]: FAILED! => {
“failed”: true,
“msg”: “template error while templating string: expected name or number. String: {{ lookup
(‘file’.‘…/templates/role-trust-policy-document.json’)|to_json }}”
}

if I just pass a string in double quotes “” I managed to make the module pass this to AWS and it expects JSON

“msg”: “An error occurred (MalformedPolicyDocument) when calling the CreateRole operation:
This policy contains invalid Json”,
“response_metadata”: {
“http_headers”: {
“connection”: “close”,
“content-length”: “288”,
“content-type”: “text/xml”,
“date”: “Wed, 28 Jun 2017 09:12:50 GMT”,
“x-amzn-requestid”: “f61bb6b4-5be1-11e7-9679-d5c1bf3ed860”
},
“http_status_code”: 400,
“request_id”: “f61bb6b4-5be1-11e7-9679-d5c1bf3ed860”,
“retry_attempts”: 0
}

after spending quite some time googling and reading github issues, there is allot of related issues, both closed and opened but none accurately tell where the issue is
if looks like a PR open tries to solve the great issue https://github.com/ansible/ansible/pull/22097
another but old https://github.com/ansible/ansible-modules-core/issues/2688

I hope someone else encounters this issue. any feedback welcome