ansible / ansible.builtin / v2.5.10 / module / iam Manage IAM users, groups, roles and keys | "added in version" 2.0 of ansible.builtin" Authors: Jonathan I. Davila (@defionscode), Paul Seiffert (@seiffert) stableinterface | supported by certifiedansible.builtin.iam (v2.5.10) — module
pip
Install with pip install ansible==2.5.10
Allows for the management of IAM users, user API keys, groups, roles.
name: description: - Name of IAM resource to create or identify required: true path: default: / description: - When creating or updating, specify the desired path of the resource. If state is present, it will replace the current path to match what is passed in when they do not match. required: false state: choices: - present - absent - update default: null description: - Whether to create, delete or update the IAM resource. Note, roles cannot be updated. required: true groups: default: null description: - A list of groups the user should belong to. When update, will gracefully remove groups not listed. required: false region: aliases: - aws_region - ec2_region description: - The AWS region to use. - For global services such as IAM, Route53 and CloudFront, I(region) is ignored. - The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used. - See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region). - The C(ec2_region) alias has been deprecated and will be removed in a release after 2024-12-01 - Support for the C(EC2_REGION) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str profile: aliases: - aws_profile description: - A named AWS profile to use for authentication. - See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). - The C(AWS_PROFILE) environment variable may also be used. - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key) and I(security_token) options. type: str iam_type: choices: - user - group - role default: null description: - Type of IAM resource required: true new_name: default: null description: - When state is update, will replace name with new_name on IAM resource required: false new_path: default: null description: - When state is update, will replace the path with new_path on the IAM resource required: false password: default: null description: - When type is user and state is present, define the users login password. Also works with update. Note that always returns changed. required: false key_count: default: '1' description: - When access_key_state is create it will ensure this quantity of keys are present. Defaults to 1. required: false access_key: aliases: - aws_access_key_id - aws_access_key - ec2_access_key description: - AWS access key ID. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables may also be used in decreasing order of preference. - The I(aws_access_key) and I(profile) options are mutually exclusive. - The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_access_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). type: dict secret_key: aliases: - aws_secret_access_key - aws_secret_key - ec2_secret_key description: - AWS secret access key. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variables may also be used in decreasing order of preference. - The I(secret_key) and I(profile) options are mutually exclusive. - The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_secret_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str endpoint_url: aliases: - ec2_url - aws_endpoint_url - s3_url description: - URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS. - The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing order of preference. - The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_URL) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str trust_policy: default: null description: - The inline (JSON or YAML) trust policy document that grants an entity permission to assume the role. Mutually exclusive with C(trust_policy_filepath). required: false version_added: '2.2' version_added_collection: ansible.builtin aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - The C(AWS_CA_BUNDLE) environment variable may also be used. type: path session_token: aliases: - aws_session_token - security_token - aws_security_token - access_token description: - AWS STS session token for use with temporary credentials. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variables may also be used in decreasing order of preference. - The I(security_token) and I(profile) options are mutually exclusive. - Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with the parameter being renamed from I(security_token) to I(session_token) in release 6.0.0. - The I(security_token), I(aws_security_token), and I(access_token) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables has been deprecated and will be removed in a release after 2024-12-01. type: str access_key_ids: description: - A list of the keys that you want impacted by the access_key_state parameter. validate_certs: default: true description: - When set to C(false), SSL certificates will not be validated for communication with the AWS APIs. - Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider setting I(aws_ca_bundle) instead. type: bool update_password: choices: - always - on_create default: always description: - C(always) will update passwords if they differ. C(on_create) will only set the password for newly created users. required: false access_key_state: choices: - create - remove - active - inactive default: null description: - When type is user, it creates, removes, deactivates or activates a user's access key(s). Note that actions apply only to keys specified. required: false trust_policy_filepath: default: null description: - The path to the trust policy document that grants an entity permission to assume the role. Mutually exclusive with C(trust_policy). required: false version_added: '2.2' version_added_collection: ansible.builtin debug_botocore_endpoint_logs: default: false description: - Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action") API calls made during a task, outputing the set to the resource_actions key in the task results. Use the C(aws_resource_action) callback to output to total list made during a playbook. - The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used. type: bool
role_result: description: the IAM.role dict returned by Boto returned: if iam_type=role and state=present sample: arn: arn:aws:iam::A1B2C3D4E5F6:role/my-new-role assume_role_policy_document: '...truncated...' create_date: '2017-09-02T14:32:23Z' path: / role_id: AROAA1B2C3D4E5F6G7H8I role_name: my-new-role type: string roles: description: a list containing the name of the currently defined roles returned: if iam_type=role and state=present sample: - my-new-role - my-existing-role-1 - my-existing-role-2 - my-existing-role-3 - my-existing-role-... type: list