modifying am IAM policy

[Tony Wong]

I am trying to add or modify an iam policy with below. it ran but did not modify anything

any idea?

---

- name: test

hosts: localhost

tasks:

- name: Create IAM Managed Policy

community.aws.iam_managed_policy:

policy_name: "PrismaCloud-IAM-ReadOnly-Policy"

policy:

Version: "2012-10-17"

Statement:

- Effect: "Allow"

"Action": "appstream:DescribeStacks"

Resource: "*"

make_default: false

state: present

[Rowe, Walter P. (Fed)]

Does your AWS user ID used by the task have rights to modify IAM policies?

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/06b09dc9-215a-44a9-b9f0-ec4f7732f775n%40googlegroups.com.

[Tony Wong]

yes it does

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0A40E414-A094-499F-A48F-750F8F8072C5%40nist.gov.

[Tony Wong]

ok I tried doing it this way and it worked but wiped out my existing policy. any idea how to append instead of replace?

---

- name: test

hosts: localhost

tasks:

- name: Create IAM Managed Policy

amazon.aws.iam_policy:

iam_type: role

iam_name: "aws_test_role"

policy_name: "PrismaCloud-IAM-ReadOnly-Policy"

policy_json:

Version: "2012-10-17"

Statement:

- Action: ["appstream:DescribeStacks"]

Effect: "Allow"

Resource: "*"

state: present

[Tony Wong]

trying my loop but its only putting in one value . any idea?

---

- name: test

hosts: localhost

tasks:

- name: Create IAM Managed Policy

amazon.aws.iam_policy:

iam_type: role

iam_name: "aws_test_role"

policy_name: "PrismaCloud-IAM-ReadOnly-Policy"

policy_json:

Version: "2012-10-17"

Statement:

- Action: "{{ item }}"

Effect: "Allow"

Resource: "*"

state: present

loop:

- acm-pca:ListTags

- acm-pca:GetPolicy

- acm-pca:GetPolicy

[Todd Lewis]

Here's an idea: Register the result, and show us the output from `ansible-playbook -vv`.

Based on what you said before about it replacing rather than adding to, I'm going to guess you're only getting the last value. (?)

[Tony Wong]

Yep only last value 

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4e7d8b42-efa8-4206-93bf-e6d40c33d9adn%40googlegroups.com.

[Dick Visser]

You could use an inline template to loop over the list of actions, for example:

---

- name: test

  hosts: localhost

  tasks:

  - name: Create IAM Managed Policy

    amazon.aws.iam_policy:

      iam_type: role

      iam_name: "aws_test_role"

      policy_name: "PrismaCloud-IAM-ReadOnly-Policy"

      policy_json: |

        Version: "2012-10-17"

        Statement:

        {% for action in actions %}

          - Action: {{ action }}

            Effect: Allow

            Resource: "*"

        {% endfor %}

      state: present

    vars:

      actions:

        - acm-pca:ListTags

        - acm-pca:GetPolicy

        - acm-pca:GetPolicy

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkpizPuW1_Mch_7cyDmLTvVNL%3DFviaXQ%2BqEGVsO2Q1y-PA%40mail.gmail.com.

[Rowe, Walter P. (Fed)]

Has this discussion gotten away from ansible and drifted into an AWS question?

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLYNtcvCKGgwsPbnOV86jwh%2BYEu5N_Vn6uaA8LvUGeof8w%40mail.gmail.com.

[Rowe, Walter P. (Fed)]

Perhaps you need to query the current state of the IAM role, modify it, and re-apply it so you are adding to the existing policy?

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkpizPuW1_Mch_7cyDmLTvVNL%3DFviaXQ%2BqEGVsO2Q1y-PA%40mail.gmail.com.

[Tony Wong]

hi

I got 

 "msg": "Failed to decode the policy as valid JSON: Expecting value: line 1 column 1 (char 0)"

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLYNtcvCKGgwsPbnOV86jwh%2BYEu5N_Vn6uaA8LvUGeof8w%40mail.gmail.com.

[Tony Wong]

any idea on this?

fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "access_key": null,
            "aws_ca_bundle": null,
            "aws_config": null,
            "debug_botocore_endpoint_logs": false,
            "endpoint_url": null,
            "iam_name": "aws_test_role",
            "iam_type": "role",
            "policy_json": "Version: \"2012-10-17\"\nStatement:\n  - Action: acm-pca:ListTags\n    Effect: Allow\n    Resource: \"*\"\n  - Action: acm-pca:GetPolicy\n    Effect: Allow\n    Resource: \"*\"\n  - Action: acm-pca:GetPolicy\n    Effect: Allow\n    Resource: \"*\"",
            "policy_name": "PrismaCloud-IAM-ReadOnly-Policy",
            "profile": null,
            "region": null,
            "secret_key": null,
            "session_token": null,
            "skip_duplicates": false,
            "state": "present",
            "validate_certs": true
        }
    },

    "msg": "Failed to decode the policy as valid JSON: Expecting value: line 1 column 1 (char 0)"
}

[Rowe, Walter P. (Fed)]

Your policy_json doesn't look like JSON.

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkoTr5maFdxoTP5sg85Mnr9di-5uRx5%2BuW-Jy%2BMZTmQ5dw%40mail.gmail.com.

[Dick Visser]

On Mon, 13 Feb 2023 at 15:55, Tony Wong <tdub...@gmail.com> wrote:

> "msg": "Failed to decode the policy as valid JSON: Expecting value: line 1 column 1 (char 0)"

So, you will need to use proper JSON.
Give this a try:

---
- name: test
hosts: localhost
tasks:
- name: Create IAM Managed Policy
amazon.aws.iam_policy:
iam_type: role
iam_name: "aws_test_role"
policy_name: "PrismaCloud-IAM-ReadOnly-Policy"

policy_json: "{{ policy | to_json }}"

state: present
vars:
actions:
- acm-pca:ListTags
- acm-pca:GetPolicy
- acm-pca:GetPolicy

policy: |

[Tony Wong]

tried but it failed

fatal: [localhost]: FAILED! => {
    "boto3_version": "1.24.27",
    "botocore_version": "1.27.27",
    "changed": false,
    "error": {
        "code": "MalformedPolicyDocument",
        "message": "Syntax errors in policy.",
        "type": "Sender"

    },
    "invocation": {
        "module_args": {
            "access_key": null,
            "aws_ca_bundle": null,
            "aws_config": null,
            "debug_botocore_endpoint_logs": false,
            "endpoint_url": null,
            "iam_name": "aws_test_role",
            "iam_type": "role",

            "policy_json": "\"Version: \\\"2012-10-17\\\"\\nStatement:\\n  - Action: acm-pca:ListTags\\n    Effect: Allow\\n    Resource: \\\"*\\\"\\n  - Action: acm-pca:GetPolicy\\n    Effect: Allow\\n    Resource: \\\"*\\\"\\n  - Action: acm-pca:GetPolicy\\n    Effect: Allow\\n    Resource: \\\"*\\\"\\n\"",

            "policy_name": "PrismaCloud-IAM-ReadOnly-Policy",
            "profile": null,
            "region": null,
            "secret_key": null,
            "session_token": null,
            "skip_duplicates": false,
            "state": "present",
            "validate_certs": true
        }
    },

    "msg": "An error occurred (MalformedPolicyDocument) when calling the PutRolePolicy operation: Syntax errors in policy.",
    "response_metadata": {
        "http_headers": {
            "connection": "close",
            "content-length": "279",
            "content-type": "text/xml",
            "date": "Mon, 13 Feb 2023 16:10:28 GMT",
            "x-amzn-requestid": "8ab06377-a416-45ea-a132-328cd03d329f"
        },
        "http_status_code": 400,
        "request_id": "8ab06377-a416-45ea-a132-328cd03d329f",
        "retry_attempts": 0
    }
}

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%40mail.gmail.com.

[Rowe, Walter P. (Fed)]

This is not an ansible problem. You need to ready the AWS docs on specifying IAM policies and make sure your policy adheres to their format and only includes the key:value pairs they accept.

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%40mail.gmail.com.

[Tony Wong]

ok this is more ansible problem. 

I like to put my policy changes in a vars file

so I got a policy.yaml file like this

policy.yaml

acm-pca:ListTags
acm-pca:GetPolicy
acm-pca:GetPolicy

---

- name: test

hosts: localhost

vars_files:

- policy.yml

tasks:

- name: Create IAM Managed Policy

amazon.aws.iam_policy:

iam_type: role

iam_name: "aws_test_role"

policy_name: "PrismaCloud-IAM-ReadOnly-Policy"

policy_json: "{{ policy | to_json }}"

state: present

policy: |

Version: "2012-10-17"

Statement:

{% for action in actions %}

- Action: {{ action }}

Effect: Allow

Resource: "*"

{% endfor %}

but when i run the pb it says

ERROR! variable files must contain either a dictionary of variables, or a list of dictionaries. Got: acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy (<class 'ansible.parsing.yaml.objects.AnsibleUnicode'>)

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov.

[Tony Wong]

ended up using the policy lookup method

---

- name: test

hosts: localhost

tasks:

- name: Create IAM Managed Policy

amazon.aws.iam_policy:

iam_type: role

iam_name: "aws_test_role"

policy_name: "PrismaCloud-IAM-ReadOnly-Policy"

policy_json: "{{ lookup('template','policy.json.j2') }}"

works but I guess the whole policy needs to be replaced instead of appended

[Dick Visser]

This is correct. 

Got: acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy (<class 'ansible.parsing.yaml.objects.AnsibleUnicode'>)

Your policy yaml file should read something like

policy:

  acm-pca:ListTags
  acm-pca:GetPolicy
  acm-pca:GetPolicy

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkqfEokt473bEae-i0%3DMd5_n0PEEAM6th8Qw6Cz2ub89zg%40mail.gmail.com.

--

Sent from Gmail Mobile

[Tony Wong]

now getting this

fatal: [localhost]: FAILED! => {
    "msg": "The task includes an option with an undefined variable. The error was: 'actions' is undefined\n\nThe error appears to be in '/Users/t/virtualenv/ansible/update_iam_policy/update_iam3.yaml': line 7, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n  tasks:\n  - name: Create IAM Managed Policy\n    ^ here\n"
}

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLZpjWBNvFcyLETSBL0ae%2BbHEm7YbR1c%3Dxw2xrT09eNggQ%40mail.gmail.com.

[Todd Lewis]

If you're going to post an error indicating an undefined variable problem on line 7 column 5 of a file we don't have, and you aren't going to give us that portion of the file, or show us why you think that variable should be defined at that point, what then do you expect us to do? We're trying to help you after all. Please give us the information necessary to do that.

[Rowe, Walter P. (Fed)]

I think they did provide it .. just not with line numbers.

---
- name: test
  hosts: localhost
  vars_files:
    - policy.yml
  tasks:
    - name: Create IAM Managed Policy
      amazon.aws.iam_policy:
        iam_type: role
        iam_name: "aws_test_role"
        policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
        policy_json: "{{ policy | to_json }}"
        state: present
        policy: |
          Version: "2012-10-17"
          Statement:
            {% for action in actions %}
              - Action: {{ action }}
                Effect: Allow
                Resource: "*"
            {% endfor %}

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/de6b5c2a-e0f9-4973-b511-54a9ed6ee2edn%40googlegroups.com.