ok this is more ansible problem.
I like to put my policy changes in a vars file
so I got a policy.yaml file like this
policy.yaml
acm-pca:ListTags
acm-pca:GetPolicy
acm-pca:GetPolicy
---
- name: test
hosts: localhost
vars_files:
- policy.yml
tasks:
- name: Create IAM Managed Policy
amazon.aws.iam_policy:
iam_type: role
iam_name: "aws_test_role"
policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
policy_json: "{{ policy | to_json }}"
state: present
policy: |
Version: "2012-10-17"
Statement:
{% for action in actions %}
- Action: {{ action }}
Effect: Allow
Resource: "*"
{% endfor %}
but when i run the pb it says
ERROR! variable files must contain either a dictionary of variables, or a
list of dictionaries. Got: acm-pca:ListTags acm-pca:GetPolicy
acm-pca:GetPolicy (<class 'ansible.parsing.yaml.objects.AnsibleUnicode'>)
On Tue, Feb 14, 2023 at 5:05 AM 'Rowe, Walter P. (Fed)' via Ansible Project
<[email protected]> wrote:
> This is not an ansible problem. You need to ready the AWS docs on
> specifying IAM policies and make sure your policy adheres to their format
> and only includes the key:value pairs they accept.
>
> Walter
> --
> Walter Rowe, Division Chief
> Infrastructure Services, OISM
> Mobile: 202.355.4123
>
> On Feb 13, 2023, at 1:47 PM, Tony Wong <[email protected]> wrote:
>
> tried but it failed
>
> fatal: [localhost]: FAILED! => {
> "boto3_version": "1.24.27",
> "botocore_version": "1.27.27",
> "changed": false,
> "error": {
> "code": "MalformedPolicyDocument",
> "message": "Syntax errors in policy.",
> "type": "Sender"
> },
> "invocation": {
> "module_args": {
> "access_key": null,
> "aws_ca_bundle": null,
> "aws_config": null,
> "debug_botocore_endpoint_logs": false,
> "endpoint_url": null,
> "iam_name": "aws_test_role",
> "iam_type": "role",
> "policy_json": "\"Version: \\\"2012-10-17\\\"\\nStatement:\\n
> - Action: acm-pca:ListTags\\n Effect: Allow\\n Resource:
> \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n
> Resource: \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n
> Resource: \\\"*\\\"\\n\"",
> "policy_name": "PrismaCloud-IAM-ReadOnly-Policy",
> "profile": null,
> "region": null,
> "secret_key": null,
> "session_token": null,
> "skip_duplicates": false,
> "state": "present",
> "validate_certs": true
> }
> },
> "msg": "An error occurred (MalformedPolicyDocument) when calling the
> PutRolePolicy operation: Syntax errors in policy.",
> "response_metadata": {
> "http_headers": {
> "connection": "close",
> "content-length": "279",
> "content-type": "text/xml",
> "date": "Mon, 13 Feb 2023 16:10:28 GMT",
> "x-amzn-requestid": "8ab06377-a416-45ea-a132-328cd03d329f"
> },
> "http_status_code": 400,
> "request_id": "8ab06377-a416-45ea-a132-328cd03d329f",
> "retry_attempts": 0
> }
> }
>
> On Mon, Feb 13, 2023 at 8:02 AM Dick Visser <[email protected]> wrote:
>
>> On Mon, 13 Feb 2023 at 15:55, Tony Wong <[email protected]> wrote:
>>
>> > "msg": "Failed to decode the policy as valid JSON: Expecting value:
>> line 1 column 1 (char 0)"
>>
>> So, you will need to use proper JSON.
>> Give this a try:
>>
>> ---
>> - name: test
>> hosts: localhost
>> tasks:
>> - name: Create IAM Managed Policy
>> amazon.aws.iam_policy:
>> iam_type: role
>> iam_name: "aws_test_role"
>> policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
>> policy_json: "{{ policy | to_json }}"
>> state: present
>> vars:
>> actions:
>> - acm-pca:ListTags
>> - acm-pca:GetPolicy
>> - acm-pca:GetPolicy
>> policy: |
>> Version: "2012-10-17"
>> Statement:
>> {% for action in actions %}
>> - Action: {{ action }}
>> Effect: Allow
>> Resource: "*"
>> {% endfor %}
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Ansible Project" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe
>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Ftopic%2Fansible-project%2FWZzXL_z_teA%2Funsubscribe&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=e%2FNOwupdFzY3H15tdGDbr6PuX12pncg9mxXov%2F3bnVQ%3D&reserved=0>
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/CAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%40mail.gmail.com
>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%2540mail.gmail.com&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EuSwkNcE7j3a%2Bn0vV5Ol0dXRJ76F75n2ngxddqtPWfU%3D&reserved=0>
>> .
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%40mail.gmail.com
> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJKNMtgOTIjhmny5MpwC3KHIDw0CPQZGWv6JmYF8VpA%3D&reserved=0>
> .
>
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov
> <https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CALmkhkqfEokt473bEae-i0%3DMd5_n0PEEAM6th8Qw6Cz2ub89zg%40mail.gmail.com.
