I am trying to add or modify an iam policy with below. it ran but did not modify anything
any idea?
Does your AWS user ID used by the task have rights to modify IAM policies?
Walter
yes it does
ok I tried doing it this way and it worked but wiped out my existing policy. any idea how to append instead of replace?
trying my loop but its only putting in one value . any idea?
Here’s an idea: Register the result, and show us the output from ansible-playbook -vv.
Based on what you said before about it replacing rather than adding to, I’m going to guess you’re only getting the last value. (?)
Yep only last value
You could use an inline template to loop over the list of actions, for example:
Has this discussion gotten away from ansible and drifted into an AWS question?
Walter
Perhaps you need to query the current state of the IAM role, modify it, and re-apply it so you are adding to the existing policy?
Walter
hi
I got
“msg”: “Failed to decode the policy as valid JSON: Expecting value: line 1 column 1 (char 0)”
any idea on this?
fatal: [localhost]: FAILED! => {
“changed”: false,
“invocation”: {
“module_args”: {
“access_key”: null,
“aws_ca_bundle”: null,
“aws_config”: null,
“debug_botocore_endpoint_logs”: false,
“endpoint_url”: null,
“iam_name”: “aws_test_role”,
“iam_type”: “role”,
“policy_json”: “Version: "2012-10-17"\nStatement:\n - Action: acm-pca:ListTags\n Effect: Allow\n Resource: ""\n - Action: acm-pca:GetPolicy\n Effect: Allow\n Resource: ""\n - Action: acm-pca:GetPolicy\n Effect: Allow\n Resource: "*"”,
“policy_name”: “PrismaCloud-IAM-ReadOnly-Policy”,
“profile”: null,
“region”: null,
“secret_key”: null,
“session_token”: null,
“skip_duplicates”: false,
“state”: “present”,
“validate_certs”: true
}
},
“msg”: “Failed to decode the policy as valid JSON: Expecting value: line 1 column 1 (char 0)”
}
Your policy_json doesn’t look like JSON.
Walter
So, you will need to use proper JSON.
Give this a try:
tried but it failed
fatal: [localhost]: FAILED! => {
“boto3_version”: “1.24.27”,
“botocore_version”: “1.27.27”,
“changed”: false,
“error”: {
“code”: “MalformedPolicyDocument”,
“message”: “Syntax errors in policy.”,
“type”: “Sender”
},
“invocation”: {
“module_args”: {
“access_key”: null,
“aws_ca_bundle”: null,
“aws_config”: null,
“debug_botocore_endpoint_logs”: false,
“endpoint_url”: null,
“iam_name”: “aws_test_role”,
“iam_type”: “role”,
“policy_json”: “"Version: \"2012-10-17\"\nStatement:\n - Action: acm-pca:ListTags\n Effect: Allow\n Resource: \"\"\n - Action: acm-pca:GetPolicy\n Effect: Allow\n Resource: \"\"\n - Action: acm-pca:GetPolicy\n Effect: Allow\n Resource: \"*\"\n"”,
“policy_name”: “PrismaCloud-IAM-ReadOnly-Policy”,
“profile”: null,
“region”: null,
“secret_key”: null,
“session_token”: null,
“skip_duplicates”: false,
“state”: “present”,
“validate_certs”: true
}
},
“msg”: “An error occurred (MalformedPolicyDocument) when calling the PutRolePolicy operation: Syntax errors in policy.”,
“response_metadata”: {
“http_headers”: {
“connection”: “close”,
“content-length”: “279”,
“content-type”: “text/xml”,
“date”: “Mon, 13 Feb 2023 16:10:28 GMT”,
“x-amzn-requestid”: “8ab06377-a416-45ea-a132-328cd03d329f”
},
“http_status_code”: 400,
“request_id”: “8ab06377-a416-45ea-a132-328cd03d329f”,
“retry_attempts”: 0
}
}
This is not an ansible problem. You need to ready the AWS docs on specifying IAM policies and make sure your policy adheres to their format and only includes the key:value pairs they accept.
Walter
ok this is more ansible problem.
I like to put my policy changes in a vars file
so I got a policy.yaml file like this
policy.yaml
acm-pca:ListTags
acm-pca:GetPolicy
acm-pca:GetPolicy
ended up using the policy lookup method
ok this is more ansible problem.
I like to put my policy changes in a vars file
so I got a policy.yaml file like this
policy.yaml
acm-pca:ListTags
acm-pca:GetPolicy
acm-pca:GetPolicy
- name: test
hosts: localhost
vars_files:- policy.yml
tasks:- name: Create IAM Managed Policy
amazon.aws.iam_policy:
iam_type: role
iam_name: “aws_test_role”
policy_name: “PrismaCloud-IAM-ReadOnly-Policy”
policy_json: “{{ policy | to_json }}”
state: present
policy: |
Version: “2012-10-17”
Statement:
{% for action in actions %}- Action: {{ action }}
Effect: Allow
Resource: “*”
{% endfor %}but when i run the pb it says
ERROR! variable files must contain either a dictionary of variables, or a list of dictionaries.
This is correct.
Got: acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy (<class ‘ansible.parsing.yaml.objects.AnsibleUnicode’>)
Your policy yaml file should read something like
policy:
acm-pca:ListTags
acm-pca:GetPolicy
acm-pca:GetPolicy
now getting this
fatal: [localhost]: FAILED! => {
“msg”: “The task includes an option with an undefined variable. The error was: ‘actions’ is undefined\n\nThe error appears to be in ‘/Users/t/virtualenv/ansible/update_iam_policy/update_iam3.yaml’: line 7, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: Create IAM Managed Policy\n ^ here\n”
}