ok this is more ansible problem.
I like to put my policy changes in a vars file
so I got a policy.yaml file like this
policy.yaml
acm-pca:ListTags
acm-pca:GetPolicy
acm-pca:GetPolicy
---
- name: test
hosts: localhost
vars_files:
- policy.yml
tasks:
- name: Create IAM Managed Policy
amazon.aws.iam_policy:
iam_type: role
iam_name: "aws_test_role"
policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
policy_json: "{{ policy | to_json }}"
state: present
policy: |
Version: "2012-10-17"
Statement:
{% for action in actions %}
- Action: {{ action }}
Effect: Allow
Resource: "*"
{% endfor %}
but when i run the pb it says
ERROR! variable files must contain either a dictionary of variables, or a
list of dictionaries. Got: acm-pca:ListTags acm-pca:GetPolicy
acm-pca:GetPolicy (<class 'ansible.parsing.yaml.objects.AnsibleUnicode'>)
On Tue, Feb 14, 2023 at 5:05 AM 'Rowe, Walter P. (Fed)' via Ansible Project
<ansible-project@googlegroups.com> wrote:
> This is not an ansible problem. You need to ready the AWS docs on
> specifying IAM policies and make sure your policy adheres to their format
> and only includes the key:value pairs they accept.
>
> Walter
> --
> Walter Rowe, Division Chief
> Infrastructure Services, OISM
> Mobile: 202.355.4123
>
> On Feb 13, 2023, at 1:47 PM, Tony Wong <tdubb...@gmail.com> wrote:
>
> tried but it failed
>
> fatal: [localhost]: FAILED! => {
> "boto3_version": "1.24.27",
> "botocore_version": "1.27.27",
> "changed": false,
> "error": {
> "code": "MalformedPolicyDocument",
> "message": "Syntax errors in policy.",
> "type": "Sender"
> },
> "invocation": {
> "module_args": {
> "access_key": null,
> "aws_ca_bundle": null,
> "aws_config": null,
> "debug_botocore_endpoint_logs": false,
> "endpoint_url": null,
> "iam_name": "aws_test_role",
> "iam_type": "role",
> "policy_json": "\"Version: \\\"2012-10-17\\\"\\nStatement:\\n
> - Action: acm-pca:ListTags\\n Effect: Allow\\n Resource:
> \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n
> Resource: \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n
> Resource: \\\"*\\\"\\n\"",
> "policy_name": "PrismaCloud-IAM-ReadOnly-Policy",
> "profile": null,
> "region": null,
> "secret_key": null,
> "session_token": null,
> "skip_duplicates": false,
> "state": "present",
> "validate_certs": true
> }
> },
> "msg": "An error occurred (MalformedPolicyDocument) when calling the
> PutRolePolicy operation: Syntax errors in policy.",
> "response_metadata": {
> "http_headers": {
> "connection": "close",
> "content-length": "279",
> "content-type": "text/xml",
> "date": "Mon, 13 Feb 2023 16:10:28 GMT",
> "x-amzn-requestid": "8ab06377-a416-45ea-a132-328cd03d329f"
> },
> "http_status_code": 400,
> "request_id": "8ab06377-a416-45ea-a132-328cd03d329f",
> "retry_attempts": 0
> }
> }
>
> On Mon, Feb 13, 2023 at 8:02 AM Dick Visser <dnmvis...@gmail.com> wrote:
>
>> On Mon, 13 Feb 2023 at 15:55, Tony Wong <tdubb...@gmail.com> wrote:
>>
>> > "msg": "Failed to decode the policy as valid JSON: Expecting value:
>> line 1 column 1 (char 0)"
>>
>> So, you will need to use proper JSON.
>> Give this a try:
>>
>> ---
>> - name: test
>> hosts: localhost
>> tasks:
>> - name: Create IAM Managed Policy
>> amazon.aws.iam_policy:
>> iam_type: role
>> iam_name: "aws_test_role"
>> policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
>> policy_json: "{{ policy | to_json }}"
>> state: present
>> vars:
>> actions:
>> - acm-pca:ListTags
>> - acm-pca:GetPolicy
>> - acm-pca:GetPolicy
>> policy: |
>> Version: "2012-10-17"
>> Statement:
>> {% for action in actions %}
>> - Action: {{ action }}
>> Effect: Allow
>> Resource: "*"
>> {% endfor %}
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Ansible Project" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe
>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Ftopic%2Fansible-project%2FWZzXL_z_teA%2Funsubscribe&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=e%2FNOwupdFzY3H15tdGDbr6PuX12pncg9mxXov%2F3bnVQ%3D&reserved=0>
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> ansible-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/CAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%40mail.gmail.com
>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%2540mail.gmail.com&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EuSwkNcE7j3a%2Bn0vV5Ol0dXRJ76F75n2ngxddqtPWfU%3D&reserved=0>
>> .
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%40mail.gmail.com
> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJKNMtgOTIjhmny5MpwC3KHIDw0CPQZGWv6JmYF8VpA%3D&reserved=0>
> .
>
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov
> <https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CALmkhkqfEokt473bEae-i0%3DMd5_n0PEEAM6th8Qw6Cz2ub89zg%40mail.gmail.com.
