I think they did provide it .. just not with line numbers.
---
- name: test
hosts: localhost
vars_files:
- policy.yml
tasks:
- name: Create IAM Managed Policy
amazon.aws.iam_policy:
iam_type: role
iam_name: "aws_test_role"
policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
policy_json: "{{ policy | to_json }}"
state: present
policy: |
Version: "2012-10-17"
Statement:
{% for action in actions %}
- Action: {{ action }}
Effect: Allow
Resource: "*"
{% endfor %}
Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123
On Feb 17, 2023, at 12:26 PM, Todd Lewis <[email protected]> wrote:
If you're going to post an error indicating an undefined variable problem on
line 7 column 5 of a file we don't have, and you aren't going to give us that
portion of the file, or show us why you think that variable should be defined
at that point, what then do you expect us to do? We're trying to help you after
all. Please give us the information necessary to do that.
On Friday, February 17, 2023 at 10:16:16 AM UTC-5 Tony Wong wrote:
now getting this
fatal: [localhost]: FAILED! => {
"msg": "The task includes an option with an undefined variable. The error
was: 'actions' is undefined\n\nThe error appears to be in
'/Users/t/virtualenv/ansible/update_iam_policy/update_iam3.yaml': line 7,
column 5, but may\nbe elsewhere in the file depending on the exact syntax
problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: Create IAM
Managed Policy\n ^ here\n"
}
On Thu, Feb 16, 2023 at 11:05 AM Dick Visser <[email protected]> wrote:
On Thu, 16 Feb 2023 at 17:11, Tony Wong <[email protected]> wrote:
ok this is more ansible problem.
I like to put my policy changes in a vars file
so I got a policy.yaml file like this
policy.yaml
acm-pca:ListTags
acm-pca:GetPolicy
acm-pca:GetPolicy
---
- name: test
hosts: localhost
vars_files:
- policy.yml
tasks:
- name: Create IAM Managed Policy
amazon.aws.iam_policy:
iam_type: role
iam_name: "aws_test_role"
policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
policy_json: "{{ policy | to_json }}"
state: present
policy: |
Version: "2012-10-17"
Statement:
{% for action in actions %}
- Action: {{ action }}
Effect: Allow
Resource: "*"
{% endfor %}
but when i run the pb it says
ERROR! variable files must contain either a dictionary of variables, or a list
of dictionaries.
This is correct.
Got: acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy (<class
'ansible.parsing.yaml.objects.AnsibleUnicode'>)
Your policy yaml file should read something like
policy:
acm-pca:ListTags
acm-pca:GetPolicy
acm-pca:GetPolicy
On Tue, Feb 14, 2023 at 5:05 AM 'Rowe, Walter P. (Fed)' via Ansible Project
<[email protected]> wrote:
This is not an ansible problem. You need to ready the AWS docs on specifying
IAM policies and make sure your policy adheres to their format and only
includes the key:value pairs they accept.
Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123
On Feb 13, 2023, at 1:47 PM, Tony Wong <[email protected]> wrote:
tried but it failed
fatal: [localhost]: FAILED! => {
"boto3_version": "1.24.27",
"botocore_version": "1.27.27",
"changed": false,
"error": {
"code": "MalformedPolicyDocument",
"message": "Syntax errors in policy.",
"type": "Sender"
},
"invocation": {
"module_args": {
"access_key": null,
"aws_ca_bundle": null,
"aws_config": null,
"debug_botocore_endpoint_logs": false,
"endpoint_url": null,
"iam_name": "aws_test_role",
"iam_type": "role",
"policy_json": "\"Version: \\\"2012-10-17\\\"\\nStatement:\\n -
Action: acm-pca:ListTags\\n Effect: Allow\\n Resource: \\\"*\\\"\\n -
Action: acm-pca:GetPolicy\\n Effect: Allow\\n Resource: \\\"*\\\"\\n -
Action: acm-pca:GetPolicy\\n Effect: Allow\\n Resource: \\\"*\\\"\\n\"",
"policy_name": "PrismaCloud-IAM-ReadOnly-Policy",
"profile": null,
"region": null,
"secret_key": null,
"session_token": null,
"skip_duplicates": false,
"state": "present",
"validate_certs": true
}
},
"msg": "An error occurred (MalformedPolicyDocument) when calling the
PutRolePolicy operation: Syntax errors in policy.",
"response_metadata": {
"http_headers": {
"connection": "close",
"content-length": "279",
"content-type": "text/xml",
"date": "Mon, 13 Feb 2023 16:10:28 GMT",
"x-amzn-requestid": "8ab06377-a416-45ea-a132-328cd03d329f"
},
"http_status_code": 400,
"request_id": "8ab06377-a416-45ea-a132-328cd03d329f",
"retry_attempts": 0
}
}
On Mon, Feb 13, 2023 at 8:02 AM Dick Visser <[email protected]> wrote:
On Mon, 13 Feb 2023 at 15:55, Tony Wong <[email protected]> wrote:
> "msg": "Failed to decode the policy as valid JSON: Expecting value: line
> 1 column 1 (char 0)"
So, you will need to use proper JSON.
Give this a try:
---
- name: test
hosts: localhost
tasks:
- name: Create IAM Managed Policy
amazon.aws.iam_policy:
iam_type: role
iam_name: "aws_test_role"
policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
policy_json: "{{ policy | to_json }}"
state: present
vars:
actions:
- acm-pca:ListTags
- acm-pca:GetPolicy
- acm-pca:GetPolicy
policy: |
Version: "2012-10-17"
Statement:
{% for action in actions %}
- Action: {{ action }}
Effect: Allow
Resource: "*"
{% endfor %}
--
You received this message because you are subscribed to a topic in the Google
Groups "Ansible Project" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%40mail.gmail.com.
--
You received this message because you are subscribed to a topic in the Google
Groups "Ansible Project" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CALmkhkqfEokt473bEae-i0%3DMd5_n0PEEAM6th8Qw6Cz2ub89zg%40mail.gmail.com.
--
Sent from Gmail Mobile
--
You received this message because you are subscribed to a topic in the Google
Groups "Ansible Project" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLZpjWBNvFcyLETSBL0ae%2BbHEm7YbR1c%3Dxw2xrT09eNggQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/de6b5c2a-e0f9-4973-b511-54a9ed6ee2edn%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/AFB07A49-EA83-4EA7-B69B-C2F926B91041%40nist.gov.
