I think they did provide it .. just not with line numbers. --- - name: test hosts: localhost vars_files: - policy.yml tasks: - name: Create IAM Managed Policy amazon.aws.iam_policy: iam_type: role iam_name: "aws_test_role" policy_name: "PrismaCloud-IAM-ReadOnly-Policy" policy_json: "{{ policy | to_json }}" state: present policy: | Version: "2012-10-17" Statement: {% for action in actions %} - Action: {{ action }} Effect: Allow Resource: "*" {% endfor %}
Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Feb 17, 2023, at 12:26 PM, Todd Lewis <uto...@gmail.com> wrote: If you're going to post an error indicating an undefined variable problem on line 7 column 5 of a file we don't have, and you aren't going to give us that portion of the file, or show us why you think that variable should be defined at that point, what then do you expect us to do? We're trying to help you after all. Please give us the information necessary to do that. On Friday, February 17, 2023 at 10:16:16 AM UTC-5 Tony Wong wrote: now getting this fatal: [localhost]: FAILED! => { "msg": "The task includes an option with an undefined variable. The error was: 'actions' is undefined\n\nThe error appears to be in '/Users/t/virtualenv/ansible/update_iam_policy/update_iam3.yaml': line 7, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: Create IAM Managed Policy\n ^ here\n" } On Thu, Feb 16, 2023 at 11:05 AM Dick Visser <dnmv...@gmail.com> wrote: On Thu, 16 Feb 2023 at 17:11, Tony Wong <tdub...@gmail.com> wrote: ok this is more ansible problem. I like to put my policy changes in a vars file so I got a policy.yaml file like this policy.yaml acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy --- - name: test hosts: localhost vars_files: - policy.yml tasks: - name: Create IAM Managed Policy amazon.aws.iam_policy: iam_type: role iam_name: "aws_test_role" policy_name: "PrismaCloud-IAM-ReadOnly-Policy" policy_json: "{{ policy | to_json }}" state: present policy: | Version: "2012-10-17" Statement: {% for action in actions %} - Action: {{ action }} Effect: Allow Resource: "*" {% endfor %} but when i run the pb it says ERROR! variable files must contain either a dictionary of variables, or a list of dictionaries. This is correct. Got: acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy (<class 'ansible.parsing.yaml.objects.AnsibleUnicode'>) Your policy yaml file should read something like policy: acm-pca:ListTags acm-pca:GetPolicy acm-pca:GetPolicy On Tue, Feb 14, 2023 at 5:05 AM 'Rowe, Walter P. (Fed)' via Ansible Project <ansible...@googlegroups.com> wrote: This is not an ansible problem. You need to ready the AWS docs on specifying IAM policies and make sure your policy adheres to their format and only includes the key:value pairs they accept. Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Feb 13, 2023, at 1:47 PM, Tony Wong <tdub...@gmail.com> wrote: tried but it failed fatal: [localhost]: FAILED! => { "boto3_version": "1.24.27", "botocore_version": "1.27.27", "changed": false, "error": { "code": "MalformedPolicyDocument", "message": "Syntax errors in policy.", "type": "Sender" }, "invocation": { "module_args": { "access_key": null, "aws_ca_bundle": null, "aws_config": null, "debug_botocore_endpoint_logs": false, "endpoint_url": null, "iam_name": "aws_test_role", "iam_type": "role", "policy_json": "\"Version: \\\"2012-10-17\\\"\\nStatement:\\n - Action: acm-pca:ListTags\\n Effect: Allow\\n Resource: \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n Resource: \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n Resource: \\\"*\\\"\\n\"", "policy_name": "PrismaCloud-IAM-ReadOnly-Policy", "profile": null, "region": null, "secret_key": null, "session_token": null, "skip_duplicates": false, "state": "present", "validate_certs": true } }, "msg": "An error occurred (MalformedPolicyDocument) when calling the PutRolePolicy operation: Syntax errors in policy.", "response_metadata": { "http_headers": { "connection": "close", "content-length": "279", "content-type": "text/xml", "date": "Mon, 13 Feb 2023 16:10:28 GMT", "x-amzn-requestid": "8ab06377-a416-45ea-a132-328cd03d329f" }, "http_status_code": 400, "request_id": "8ab06377-a416-45ea-a132-328cd03d329f", "retry_attempts": 0 } } On Mon, Feb 13, 2023 at 8:02 AM Dick Visser <dnmv...@gmail.com> wrote: On Mon, 13 Feb 2023 at 15:55, Tony Wong <tdub...@gmail.com> wrote: > "msg": "Failed to decode the policy as valid JSON: Expecting value: line > 1 column 1 (char 0)" So, you will need to use proper JSON. Give this a try: --- - name: test hosts: localhost tasks: - name: Create IAM Managed Policy amazon.aws.iam_policy: iam_type: role iam_name: "aws_test_role" policy_name: "PrismaCloud-IAM-ReadOnly-Policy" policy_json: "{{ policy | to_json }}" state: present vars: actions: - acm-pca:ListTags - acm-pca:GetPolicy - acm-pca:GetPolicy policy: | Version: "2012-10-17" Statement: {% for action in actions %} - Action: {{ action }} Effect: Allow Resource: "*" {% endfor %} -- You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe. To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%40mail.gmail.com. -- You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe. To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkqfEokt473bEae-i0%3DMd5_n0PEEAM6th8Qw6Cz2ub89zg%40mail.gmail.com. -- Sent from Gmail Mobile -- You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe. To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLZpjWBNvFcyLETSBL0ae%2BbHEm7YbR1c%3Dxw2xrT09eNggQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/de6b5c2a-e0f9-4973-b511-54a9ed6ee2edn%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/AFB07A49-EA83-4EA7-B69B-C2F926B91041%40nist.gov.