Updating an IAM cert

Josh_Smift1 · May 19, 2017, 5:09pm

We uploaded an IAM cert to AWS, and now need to update the certificate
(the contents). On the theory that a lost of this stuff is idempotent, I
thought this task, which we used to upload it in the first place, would
work to update it as well:

  - name: configure IAM certificates
    iam_cert:
      name: "{{ item }}"
      state: present
      cert: "{{ iam_cert[item]['certfile'] }}"
      key: "{{ iam_cert[item]['keyfile'] }}"
      cert_chain: "{{ iam_cert[item]['chainfile'] }}"
    with_items: "{{ iam_cert_names }}"

We've got a dict iam_cert in inventory, like this:

    iam_cert:
      myserver1:
        certfile: "/path/to/myserver1.crt"
        chainfile: "/path/to/myca.crt"
        keyfile: "/path/to/myserver1.key"

(and so on for myserver2 etc)

So this works fine for adding a new cert, but if we put a new cert in
/path/to/myserver.crt, it fails, saying:

failed: [localhost] (item=myserver1) => {"changed": false, "failed": true, "item": "myserver1", "msg": "A cert with the name myserver1 already exists and has a different certificate body associated with it. Certificates cannot have the same name"}

https://docs.ansible.com/ansible/iam_cert_module.html has 'new_path',
which says "When present, this will update the path of the cert with the
value passed here.", but it doesn't say what this is supposed to be -- a
Boolean? a path to the new cert file on disk? Perhaps the same sort of
thing as the 'path' option, which says "When creating or updating, specify
the desired path of the certificate", but we're not using that, we're
using 'cert', which says "The path to the certificate body in PEM encoded
format." What's "the path of the certificate", and is it different from
"the path to the certificate body"? There's only one example, and it
doesn't use either 'path' or 'new_path'.

Anyone know how this is supposed to work?

-Josh (jbs@care.com)

(apologies for the automatic corporate disclaimer that follows)

This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.

ttwalto · August 14, 2018, 3:21pm

I’m also wondering how this works. The documentation is often confusing about what exactly it means.

I’m seeing “already exists and has a different certificate body”, which I’m guessing is related to the error described here.

Topic		Replies	Views
Upload SSL Certificate to AWS (for aws_elb_lb module to use) Ansible Project aws	1	1	September 23, 2014
Utilizing win_iis_webbinding to update IIS certs Ansible Project windows	5	4	March 19, 2019
cert_file error with aws_ec2 inventory plugin Ansible Project aws	0	0	July 8, 2019
Certificate issuance and copying files across servers Ansible Project	3	2	November 1, 2016
uploading ssl certificates to aws, for use with elb Ansible Project aws	1	1	March 9, 2015

Updating an IAM cert

Related topics