This is not an ansible problem. You need to ready the AWS docs on specifying IAM policies and make sure your policy adheres to their format and only includes the key:value pairs they accept.
Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Feb 13, 2023, at 1:47 PM, Tony Wong <[email protected]> wrote: tried but it failed fatal: [localhost]: FAILED! => { "boto3_version": "1.24.27", "botocore_version": "1.27.27", "changed": false, "error": { "code": "MalformedPolicyDocument", "message": "Syntax errors in policy.", "type": "Sender" }, "invocation": { "module_args": { "access_key": null, "aws_ca_bundle": null, "aws_config": null, "debug_botocore_endpoint_logs": false, "endpoint_url": null, "iam_name": "aws_test_role", "iam_type": "role", "policy_json": "\"Version: \\\"2012-10-17\\\"\\nStatement:\\n - Action: acm-pca:ListTags\\n Effect: Allow\\n Resource: \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n Resource: \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n Resource: \\\"*\\\"\\n\"", "policy_name": "PrismaCloud-IAM-ReadOnly-Policy", "profile": null, "region": null, "secret_key": null, "session_token": null, "skip_duplicates": false, "state": "present", "validate_certs": true } }, "msg": "An error occurred (MalformedPolicyDocument) when calling the PutRolePolicy operation: Syntax errors in policy.", "response_metadata": { "http_headers": { "connection": "close", "content-length": "279", "content-type": "text/xml", "date": "Mon, 13 Feb 2023 16:10:28 GMT", "x-amzn-requestid": "8ab06377-a416-45ea-a132-328cd03d329f" }, "http_status_code": 400, "request_id": "8ab06377-a416-45ea-a132-328cd03d329f", "retry_attempts": 0 } } On Mon, Feb 13, 2023 at 8:02 AM Dick Visser <[email protected]<mailto:[email protected]>> wrote: On Mon, 13 Feb 2023 at 15:55, Tony Wong <[email protected]<mailto:[email protected]>> wrote: > "msg": "Failed to decode the policy as valid JSON: Expecting value: line > 1 column 1 (char 0)" So, you will need to use proper JSON. Give this a try: --- - name: test hosts: localhost tasks: - name: Create IAM Managed Policy amazon.aws.iam_policy: iam_type: role iam_name: "aws_test_role" policy_name: "PrismaCloud-IAM-ReadOnly-Policy" policy_json: "{{ policy | to_json }}" state: present vars: actions: - acm-pca:ListTags - acm-pca:GetPolicy - acm-pca:GetPolicy policy: | Version: "2012-10-17" Statement: {% for action in actions %} - Action: {{ action }} Effect: Allow Resource: "*" {% endfor %} -- You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Ftopic%2Fansible-project%2FWZzXL_z_teA%2Funsubscribe&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=e%2FNOwupdFzY3H15tdGDbr6PuX12pncg9mxXov%2F3bnVQ%3D&reserved=0>. To unsubscribe from this group and all its topics, send an email to [email protected]<mailto:ansible-project%[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%40mail.gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%2540mail.gmail.com&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EuSwkNcE7j3a%2Bn0vV5Ol0dXRJ76F75n2ngxddqtPWfU%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%40mail.gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJKNMtgOTIjhmny5MpwC3KHIDw0CPQZGWv6JmYF8VpA%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov.
