On Thu, 16 Feb 2023 at 17:11, Tony Wong <[email protected]> wrote: > ok this is more ansible problem. > > I like to put my policy changes in a vars file > > so I got a policy.yaml file like this > > > policy.yaml > > acm-pca:ListTags > acm-pca:GetPolicy > acm-pca:GetPolicy > > --- > - name: test > hosts: localhost > vars_files: > - policy.yml > tasks: > - name: Create IAM Managed Policy > amazon.aws.iam_policy: > iam_type: role > iam_name: "aws_test_role" > policy_name: "PrismaCloud-IAM-ReadOnly-Policy" > policy_json: "{{ policy | to_json }}" > state: present > policy: | > Version: "2012-10-17" > Statement: > {% for action in actions %} > - Action: {{ action }} > Effect: Allow > Resource: "*" > {% endfor %} > > > but when i run the pb it says > > ERROR! variable files must contain either a dictionary of variables, or a > list of dictionaries. >
This is correct. > Got: acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy (<class > 'ansible.parsing.yaml.objects.AnsibleUnicode'>) > Your policy yaml file should read something like policy: acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy > > > On Tue, Feb 14, 2023 at 5:05 AM 'Rowe, Walter P. (Fed)' via Ansible > Project <[email protected]> wrote: > >> This is not an ansible problem. You need to ready the AWS docs on >> specifying IAM policies and make sure your policy adheres to their format >> and only includes the key:value pairs they accept. >> >> Walter >> -- >> Walter Rowe, Division Chief >> Infrastructure Services, OISM >> Mobile: 202.355.4123 >> >> On Feb 13, 2023, at 1:47 PM, Tony Wong <[email protected]> wrote: >> >> tried but it failed >> >> fatal: [localhost]: FAILED! => { >> "boto3_version": "1.24.27", >> "botocore_version": "1.27.27", >> "changed": false, >> "error": { >> "code": "MalformedPolicyDocument", >> "message": "Syntax errors in policy.", >> "type": "Sender" >> }, >> "invocation": { >> "module_args": { >> "access_key": null, >> "aws_ca_bundle": null, >> "aws_config": null, >> "debug_botocore_endpoint_logs": false, >> "endpoint_url": null, >> "iam_name": "aws_test_role", >> "iam_type": "role", >> "policy_json": "\"Version: \\\"2012-10-17\\\"\\nStatement:\\n >> - Action: acm-pca:ListTags\\n Effect: Allow\\n Resource: >> \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n >> Resource: \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n >> Resource: \\\"*\\\"\\n\"", >> "policy_name": "PrismaCloud-IAM-ReadOnly-Policy", >> "profile": null, >> "region": null, >> "secret_key": null, >> "session_token": null, >> "skip_duplicates": false, >> "state": "present", >> "validate_certs": true >> } >> }, >> "msg": "An error occurred (MalformedPolicyDocument) when calling the >> PutRolePolicy operation: Syntax errors in policy.", >> "response_metadata": { >> "http_headers": { >> "connection": "close", >> "content-length": "279", >> "content-type": "text/xml", >> "date": "Mon, 13 Feb 2023 16:10:28 GMT", >> "x-amzn-requestid": "8ab06377-a416-45ea-a132-328cd03d329f" >> }, >> "http_status_code": 400, >> "request_id": "8ab06377-a416-45ea-a132-328cd03d329f", >> "retry_attempts": 0 >> } >> } >> >> On Mon, Feb 13, 2023 at 8:02 AM Dick Visser <[email protected]> wrote: >> >>> On Mon, 13 Feb 2023 at 15:55, Tony Wong <[email protected]> wrote: >>> >>> > "msg": "Failed to decode the policy as valid JSON: Expecting >>> value: line 1 column 1 (char 0)" >>> >>> So, you will need to use proper JSON. >>> Give this a try: >>> >>> --- >>> - name: test >>> hosts: localhost >>> tasks: >>> - name: Create IAM Managed Policy >>> amazon.aws.iam_policy: >>> iam_type: role >>> iam_name: "aws_test_role" >>> policy_name: "PrismaCloud-IAM-ReadOnly-Policy" >>> policy_json: "{{ policy | to_json }}" >>> state: present >>> vars: >>> actions: >>> - acm-pca:ListTags >>> - acm-pca:GetPolicy >>> - acm-pca:GetPolicy >>> policy: | >>> Version: "2012-10-17" >>> Statement: >>> {% for action in actions %} >>> - Action: {{ action }} >>> Effect: Allow >>> Resource: "*" >>> {% endfor %} >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Ansible Project" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Ftopic%2Fansible-project%2FWZzXL_z_teA%2Funsubscribe&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=e%2FNOwupdFzY3H15tdGDbr6PuX12pncg9mxXov%2F3bnVQ%3D&reserved=0> >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/CAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%40mail.gmail.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%2540mail.gmail.com&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EuSwkNcE7j3a%2Bn0vV5Ol0dXRJ76F75n2ngxddqtPWfU%3D&reserved=0> >>> . >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%40mail.gmail.com >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJKNMtgOTIjhmny5MpwC3KHIDw0CPQZGWv6JmYF8VpA%3D&reserved=0> >> . >> >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ansible Project" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov >> <https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CALmkhkqfEokt473bEae-i0%3DMd5_n0PEEAM6th8Qw6Cz2ub89zg%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CALmkhkqfEokt473bEae-i0%3DMd5_n0PEEAM6th8Qw6Cz2ub89zg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Sent from Gmail Mobile -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLZpjWBNvFcyLETSBL0ae%2BbHEm7YbR1c%3Dxw2xrT09eNggQ%40mail.gmail.com.
