I can’t figure out how to create an instance profile.
It’s easy enough to attach an instance profile; the ec2_lc module has an instance_profile_name parameter.
But how to create the policy and role?
There seem to be three relevant modules, iam, iam_policy and iam_role. iam_role even has a create_instance_policy parameter! But each of these seems to do only part of the job.
For example, iam_policy lets me set up an policy, but it requires a target to attach the policy to, so won’t create a standalone policy. I need a standalone policy because iam_role requires managed policies to attach to the roles it creates. iam appears to let me create a role too, but I don’t understand most of its parameters (what the heck is a path in this context?)
If anyone has a working example that they can share, I would be most grateful.
By the way, what I’m trying to do is allow an instance read/write access a specific S3 bucket. I have the role and policy details I need, I just need some way to set it up in Ansible.
Many thanks, K.
I can’t figure out how to create an instance profile.
It’s easy enough to attach an instance profile; the ec2_lc module has an instance_profile_name parameter.
But how to create the policy and role?
There seem to be three relevant modules, iam, iam_policy and iam_role. iam_role even has a create_instance_policy parameter! But each of these seems to do only part of the job.
For example, iam_policy lets me set up an policy, but it requires a target to attach the policy to, so won’t create a standalone policy. I need a standalone policy because iam_role requires managed policies to attach to the roles it creates. iam appears to let me create a role too, but I don’t understand most of its parameters (what the heck is a path in this context?)
The piece you appear to be missing is iam_managed_policy.
If anyone has a working example that they can share, I would be most grateful.
`
-
hosts: localhost
become: false
tasks:
-
name: Create IAM policy for EC2 tagging
iam_managed_policy:
state: present
policy_name: UpdateEC2_tags
policy_description: Read and update tags for EC2 resources
policy:
Version: ‘2012-10-17’
Statement:
-
Action: ‘ec2:CreateTags’
Effect: Allow
Resource: ‘*’
-
Action: ‘ec2:DescribeTags’
Effect: Allow
Resource: ‘*’
-
Action: ‘ec2:DeleteTags’
Effect: Allow
Resource: ‘*’
register: tagpolicy
-
name: Create builder role
iam_role:
name: builder
state: present
assume_role_policy_document:
Version : ‘2012-10-17’
Statement:
-
Effect: Allow
Action: ‘sts:AssumeRole’
Principal:
Service: ec2.amazonaws.com
managed_policy:
-
‘arn:aws:iam::aws:policy/AmazonS3FullAccess’
-
‘arn:aws:iam::aws:policy/AmazonSNSFullAccess’
-
‘arn:aws:iam::aws:policy/AmazonRoute53FullAccess’
-
“{{ tagpolicy.policy.arn }}”
`
Thank you!
That was indeed the missing piece, and your sample code was very useful. Thank you again.
Regards, K.