now getting this
fatal: [localhost]: FAILED! => {
"msg": "The task includes an option with an undefined variable. The
error was: 'actions' is undefined\n\nThe error appears to be in
'/Users/t/virtualenv/ansible/update_iam_policy/update_iam3.yaml': line 7,
column 5, but may\nbe elsewhere in the file depending on the exact syntax
problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: Create
IAM Managed Policy\n ^ here\n"
}
On Thu, Feb 16, 2023 at 11:05 AM Dick Visser <[email protected]> wrote:
>
>
> On Thu, 16 Feb 2023 at 17:11, Tony Wong <[email protected]> wrote:
>
>> ok this is more ansible problem.
>>
>> I like to put my policy changes in a vars file
>>
>> so I got a policy.yaml file like this
>>
>>
>> policy.yaml
>>
>> acm-pca:ListTags
>> acm-pca:GetPolicy
>> acm-pca:GetPolicy
>>
>> ---
>> - name: test
>> hosts: localhost
>> vars_files:
>> - policy.yml
>> tasks:
>> - name: Create IAM Managed Policy
>> amazon.aws.iam_policy:
>> iam_type: role
>> iam_name: "aws_test_role"
>> policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
>> policy_json: "{{ policy | to_json }}"
>> state: present
>> policy: |
>> Version: "2012-10-17"
>> Statement:
>> {% for action in actions %}
>> - Action: {{ action }}
>> Effect: Allow
>> Resource: "*"
>> {% endfor %}
>>
>>
>> but when i run the pb it says
>>
>> ERROR! variable files must contain either a dictionary of variables, or a
>> list of dictionaries.
>>
>
> This is correct.
>
>> Got: acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy (<class
>> 'ansible.parsing.yaml.objects.AnsibleUnicode'>)
>>
>
> Your policy yaml file should read something like
>
> policy:
> acm-pca:ListTags
> acm-pca:GetPolicy
> acm-pca:GetPolicy
>
>
>>
>>
>> On Tue, Feb 14, 2023 at 5:05 AM 'Rowe, Walter P. (Fed)' via Ansible
>> Project <[email protected]> wrote:
>>
>>> This is not an ansible problem. You need to ready the AWS docs on
>>> specifying IAM policies and make sure your policy adheres to their format
>>> and only includes the key:value pairs they accept.
>>>
>>> Walter
>>> --
>>> Walter Rowe, Division Chief
>>> Infrastructure Services, OISM
>>> Mobile: 202.355.4123
>>>
>>> On Feb 13, 2023, at 1:47 PM, Tony Wong <[email protected]> wrote:
>>>
>>> tried but it failed
>>>
>>> fatal: [localhost]: FAILED! => {
>>> "boto3_version": "1.24.27",
>>> "botocore_version": "1.27.27",
>>> "changed": false,
>>> "error": {
>>> "code": "MalformedPolicyDocument",
>>> "message": "Syntax errors in policy.",
>>> "type": "Sender"
>>> },
>>> "invocation": {
>>> "module_args": {
>>> "access_key": null,
>>> "aws_ca_bundle": null,
>>> "aws_config": null,
>>> "debug_botocore_endpoint_logs": false,
>>> "endpoint_url": null,
>>> "iam_name": "aws_test_role",
>>> "iam_type": "role",
>>> "policy_json": "\"Version:
>>> \\\"2012-10-17\\\"\\nStatement:\\n - Action: acm-pca:ListTags\\n
>>> Effect: Allow\\n Resource: \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n
>>> Effect: Allow\\n Resource: \\\"*\\\"\\n - Action:
>>> acm-pca:GetPolicy\\n Effect: Allow\\n Resource: \\\"*\\\"\\n\"",
>>> "policy_name": "PrismaCloud-IAM-ReadOnly-Policy",
>>> "profile": null,
>>> "region": null,
>>> "secret_key": null,
>>> "session_token": null,
>>> "skip_duplicates": false,
>>> "state": "present",
>>> "validate_certs": true
>>> }
>>> },
>>> "msg": "An error occurred (MalformedPolicyDocument) when calling the
>>> PutRolePolicy operation: Syntax errors in policy.",
>>> "response_metadata": {
>>> "http_headers": {
>>> "connection": "close",
>>> "content-length": "279",
>>> "content-type": "text/xml",
>>> "date": "Mon, 13 Feb 2023 16:10:28 GMT",
>>> "x-amzn-requestid": "8ab06377-a416-45ea-a132-328cd03d329f"
>>> },
>>> "http_status_code": 400,
>>> "request_id": "8ab06377-a416-45ea-a132-328cd03d329f",
>>> "retry_attempts": 0
>>> }
>>> }
>>>
>>> On Mon, Feb 13, 2023 at 8:02 AM Dick Visser <[email protected]> wrote:
>>>
>>>> On Mon, 13 Feb 2023 at 15:55, Tony Wong <[email protected]> wrote:
>>>>
>>>> > "msg": "Failed to decode the policy as valid JSON: Expecting
>>>> value: line 1 column 1 (char 0)"
>>>>
>>>> So, you will need to use proper JSON.
>>>> Give this a try:
>>>>
>>>> ---
>>>> - name: test
>>>> hosts: localhost
>>>> tasks:
>>>> - name: Create IAM Managed Policy
>>>> amazon.aws.iam_policy:
>>>> iam_type: role
>>>> iam_name: "aws_test_role"
>>>> policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
>>>> policy_json: "{{ policy | to_json }}"
>>>> state: present
>>>> vars:
>>>> actions:
>>>> - acm-pca:ListTags
>>>> - acm-pca:GetPolicy
>>>> - acm-pca:GetPolicy
>>>> policy: |
>>>> Version: "2012-10-17"
>>>> Statement:
>>>> {% for action in actions %}
>>>> - Action: {{ action }}
>>>> Effect: Allow
>>>> Resource: "*"
>>>> {% endfor %}
>>>>
>>>> --
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "Ansible Project" group.
>>>> To unsubscribe from this topic, visit
>>>> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe
>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Ftopic%2Fansible-project%2FWZzXL_z_teA%2Funsubscribe&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=e%2FNOwupdFzY3H15tdGDbr6PuX12pncg9mxXov%2F3bnVQ%3D&reserved=0>
>>>> .
>>>> To unsubscribe from this group and all its topics, send an email to
>>>> [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ansible-project/CAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%40mail.gmail.com
>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%2540mail.gmail.com&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EuSwkNcE7j3a%2Bn0vV5Ol0dXRJ76F75n2ngxddqtPWfU%3D&reserved=0>
>>>> .
>>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/CALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%40mail.gmail.com
>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJKNMtgOTIjhmny5MpwC3KHIDw0CPQZGWv6JmYF8VpA%3D&reserved=0>
>>> .
>>>
>>>
>>> --
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "Ansible Project" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe
>>> .
>>> To unsubscribe from this group and all its topics, send an email to
>>> [email protected].
>>>
>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov
>>> <https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/CALmkhkqfEokt473bEae-i0%3DMd5_n0PEEAM6th8Qw6Cz2ub89zg%40mail.gmail.com
>> <https://groups.google.com/d/msgid/ansible-project/CALmkhkqfEokt473bEae-i0%3DMd5_n0PEEAM6th8Qw6Cz2ub89zg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> Sent from Gmail Mobile
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAF8BbLZpjWBNvFcyLETSBL0ae%2BbHEm7YbR1c%3Dxw2xrT09eNggQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/ansible-project/CAF8BbLZpjWBNvFcyLETSBL0ae%2BbHEm7YbR1c%3Dxw2xrT09eNggQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CALmkhkogaoOOQf0t1TJKo-ENO7YQMWMhUxtUKC-sM3X00Mr6Wg%40mail.gmail.com.
