ansible / ansible.builtin / v2.5.12 / module / iam_role Manage AWS IAM roles | "added in version" 2.3 of ansible.builtin" Authors: Rob White (@wimnat) preview | supported by communityansible.builtin.iam_role (v2.5.12) — module
pip
Install with pip install ansible==2.5.12
Manage AWS IAM roles
# Note: These examples do not set authentication details, see the AWS Guide for details. - name: Create a role with description iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file','policy.json') }}" description: This is My New Role
- name: "Create a role and attach a managed policy called 'PowerUserAccess'" iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file','policy.json') }}" managed_policy: - arn:aws:iam::aws:policy/PowerUserAccess
- name: Keep the role created above but remove all managed policies iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file','policy.json') }}" managed_policy: -
- name: Delete the role iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file', 'policy.json') }}" state: absent
name: description: - The name of the role to create. required: true path: default: / description: - The path to the role. For more information about paths, see U(http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). state: choices: - present - absent default: present description: - Create or remove the IAM role region: aliases: - aws_region - ec2_region description: - The AWS region to use. - For global services such as IAM, Route53 and CloudFront, I(region) is ignored. - The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used. - See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region). - The C(ec2_region) alias has been deprecated and will be removed in a release after 2024-12-01 - Support for the C(EC2_REGION) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str profile: aliases: - aws_profile description: - A named AWS profile to use for authentication. - See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). - The C(AWS_PROFILE) environment variable may also be used. - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key) and I(security_token) options. type: str access_key: aliases: - aws_access_key_id - aws_access_key - ec2_access_key description: - AWS access key ID. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables may also be used in decreasing order of preference. - The I(aws_access_key) and I(profile) options are mutually exclusive. - The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_access_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). type: dict secret_key: aliases: - aws_secret_access_key - aws_secret_key - ec2_secret_key description: - AWS secret access key. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variables may also be used in decreasing order of preference. - The I(secret_key) and I(profile) options are mutually exclusive. - The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_secret_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str description: description: - Provide a description of the new role version_added: '2.5' version_added_collection: ansible.builtin endpoint_url: aliases: - ec2_url - aws_endpoint_url - s3_url description: - URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS. - The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing order of preference. - The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_URL) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - The C(AWS_CA_BUNDLE) environment variable may also be used. type: path session_token: aliases: - aws_session_token - security_token - aws_security_token - access_token description: - AWS STS session token for use with temporary credentials. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variables may also be used in decreasing order of preference. - The I(security_token) and I(profile) options are mutually exclusive. - Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with the parameter being renamed from I(security_token) to I(session_token) in release 6.0.0. - The I(security_token), I(aws_security_token), and I(access_token) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables has been deprecated and will be removed in a release after 2024-12-01. type: str managed_policy: aliases: - managed_policies description: - A list of managed policy ARNs or, since Ansible 2.4, a list of either managed policy ARNs or friendly names. To embed an inline policy, use M(iam_policy). To remove existing policies, use an empty list item. purge_policies: default: true description: - Detaches any managed policies not listed in the "managed_policy" option. Set to false if you want to attach policies elsewhere. type: bool version_added: '2.5' version_added_collection: ansible.builtin validate_certs: default: true description: - When set to C(false), SSL certificates will not be validated for communication with the AWS APIs. - Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider setting I(aws_ca_bundle) instead. type: bool create_instance_profile: default: true description: - Creates an IAM instance profile along with the role type: bool version_added: '2.5' version_added_collection: ansible.builtin assume_role_policy_document: description: - The trust relationship policy document that grants an entity permission to assume the role. - This parameter is required when C(state=present). debug_botocore_endpoint_logs: default: false description: - Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action") API calls made during a task, outputing the set to the resource_actions key in the task results. Use the C(aws_resource_action) callback to output to total list made during a playbook. - The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used. type: bool
iam_role: contains: arn: description: the Amazon Resource Name (ARN) specifying the role returned: always sample: arn:aws:iam::1234567890:role/mynewrole type: string assume_role_policy_document: description: the policy that grants an entity permission to assume the role returned: always sample: statement: - action: sts:AssumeRole effect: Allow principal: service: ec2.amazonaws.com sid: '' version: '2012-10-17' type: string attached_policies: description: a list of dicts containing the name and ARN of the managed IAM policies attached to the role returned: always sample: - policy_arn: arn:aws:iam::aws:policy/PowerUserAccess policy_name: PowerUserAccess type: list create_date: description: the date and time, in ISO 8601 date-time format, when the role was created returned: always sample: '2016-08-14T04:36:28+00:00' type: string path: description: the path to the role returned: always sample: / type: string role_id: description: the stable and unique string identifying the role returned: always sample: ABCDEFF4EZ4ABCDEFV4ZC type: string role_name: description: the friendly name that identifies the role returned: always sample: myrole type: string description: dictionary containing the IAM Role data returned: success type: complex