Perhaps you need to query the current state of the IAM role, modify it, and re-apply it so you are adding to the existing policy?
Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Feb 9, 2023, at 6:34 PM, Tony Wong <tdubb...@gmail.com> wrote: Yep only last value On Thu, Feb 9, 2023 at 2:52 PM Todd Lewis <uto...@gmail.com<mailto:uto...@gmail.com>> wrote: Here's an idea: Register the result, and show us the output from `ansible-playbook -vv`. Based on what you said before about it replacing rather than adding to, I'm going to guess you're only getting the last value. (?) On Thursday, February 9, 2023 at 5:02:45 PM UTC-5 Tony Wong wrote: trying my loop but its only putting in one value . any idea? --- - name: test hosts: localhost tasks: - name: Create IAM Managed Policy amazon.aws.iam_policy: iam_type: role iam_name: "aws_test_role" policy_name: "PrismaCloud-IAM-ReadOnly-Policy" policy_json: Version: "2012-10-17" Statement: - Action: "{{ item }}" Effect: "Allow" Resource: "*" state: present loop: - acm-pca:ListTags - acm-pca:GetPolicy - acm-pca:GetPolicy On Thu, Feb 9, 2023 at 1:29 PM Tony Wong <tdub...@gmail.com> wrote: ok I tried doing it this way and it worked but wiped out my existing policy. any idea how to append instead of replace? --- - name: test hosts: localhost tasks: - name: Create IAM Managed Policy amazon.aws.iam_policy: iam_type: role iam_name: "aws_test_role" policy_name: "PrismaCloud-IAM-ReadOnly-Policy" policy_json: Version: "2012-10-17" Statement: - Action: ["appstream:DescribeStacks"] Effect: "Allow" Resource: "*" state: present On Thu, Feb 9, 2023 at 11:49 AM Tony Wong <tdub...@gmail.com> wrote: yes it does On Thu, Feb 9, 2023 at 11:47 AM 'Rowe, Walter P. (Fed)' via Ansible Project <ansible...@googlegroups.com> wrote: Does your AWS user ID used by the task have rights to modify IAM policies? Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123<tel:(202)%20355-4123> On Feb 9, 2023, at 2:46 PM, Tony Wong <tdub...@gmail.com> wrote: I am trying to add or modify an iam policy with below. it ran but did not modify anything any idea? --- - name: test hosts: localhost tasks: - name: Create IAM Managed Policy community.aws.iam_managed_policy: policy_name: "PrismaCloud-IAM-ReadOnly-Policy" policy: Version: "2012-10-17" Statement: - Effect: "Allow" "Action": "appstream:DescribeStacks" Resource: "*" make_default: false state: present -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/06b09dc9-215a-44a9-b9f0-ec4f7732f775n%40googlegroups.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F06b09dc9-215a-44a9-b9f0-ec4f7732f775n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C2c4c104fb767477405af08db0af62f58%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638115824712052573%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=O9a1Z1niolMeo57UxEqojmKdYJfJj9rbshIWSqElRPo%3D&reserved=0>. -- You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Ftopic%2Fansible-project%2FWZzXL_z_teA%2Funsubscribe&data=05%7C01%7Cwalter.rowe%40nist.gov%7C2c4c104fb767477405af08db0af62f58%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638115824712052573%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZBnk3Vo5ZnmwyzvxfQvs8toGbq70McXFwLIimjNCiRQ%3D&reserved=0>. To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0A40E414-A094-499F-A48F-750F8F8072C5%40nist.gov<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F0A40E414-A094-499F-A48F-750F8F8072C5%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C2c4c104fb767477405af08db0af62f58%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638115824712052573%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2F1upohWP4p42Xg6RBWTO34D0dgA1JSeiL%2FwAykKmeog%3D&reserved=0>. -- You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Ftopic%2Fansible-project%2FWZzXL_z_teA%2Funsubscribe&data=05%7C01%7Cwalter.rowe%40nist.gov%7C2c4c104fb767477405af08db0af62f58%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638115824712052573%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZBnk3Vo5ZnmwyzvxfQvs8toGbq70McXFwLIimjNCiRQ%3D&reserved=0>. To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscr...@googlegroups.com<mailto:ansible-project+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4e7d8b42-efa8-4206-93bf-e6d40c33d9adn%40googlegroups.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F4e7d8b42-efa8-4206-93bf-e6d40c33d9adn%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C2c4c104fb767477405af08db0af62f58%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638115824712052573%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cl%2F9DymGO0E0IB%2FyPvkYGiQqF3IPrSrHFUa5zIfGHJ0%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com<mailto:ansible-project+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkpizPuW1_Mch_7cyDmLTvVNL%3DFviaXQ%2BqEGVsO2Q1y-PA%40mail.gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCALmkhkpizPuW1_Mch_7cyDmLTvVNL%253DFviaXQ%252BqEGVsO2Q1y-PA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C2c4c104fb767477405af08db0af62f58%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638115824712052573%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Tfg4EzyTZCb45KY3YKVtR6WqMpSEj9UDIclKPtUaAJQ%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/75749DBD-BD41-4C02-A975-F487822E1139%40nist.gov.
