Try SpotterManage AWS IAM groups
| "added in version" 2.4 of ansible.builtin"
Authors: Nick Aslanidis (@naslanidis), Maksym Postument (@infectsoldier)
preview | supported by community
pipInstall with pip install ansible==2.9.17
Manage AWS IAM groups
# Note: These examples do not set authentication details, see the AWS Guide for details.
# Create a group
- iam_group:
name: testgroup1
state: present
# Create a group and attach a managed policy using its ARN
- iam_group:
name: testgroup1
managed_policy:
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
state: present
# Create a group with users as members and attach a managed policy using its ARN
- iam_group:
name: testgroup1
managed_policy:
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
users:
- test_user1
- test_user2
state: present
# Remove all managed policies from an existing group with an empty list
- iam_group:
name: testgroup1
state: present
purge_policy: true
# Remove all group members from an existing group
- iam_group:
name: testgroup1
managed_policy:
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
purge_users: true
state: present
# Delete the group
- iam_group:
name: testgroup1
state: absent
name:
description:
- The name of the group to create.
required: true
type: str
state:
choices:
- present
- absent
description:
- Create or remove the IAM group
required: true
type: str
users:
description:
- A list of existing users to add as members of the group.
required: false
type: list
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION
environment variable, if any, is used. See U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region)
type: str
ec2_url:
aliases:
- aws_endpoint_url
- endpoint_url
description:
- URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will
use EC2 endpoints). Ignored for modules where region is required. Must be specified
for all other modules if region is not used. If not set then the value of the EC2_URL
environment variable, if any, is used.
type: str
profile:
aliases:
- aws_profile
description:
- Using I(profile) will override I(aws_access_key), I(aws_secret_key) and I(security_token)
and support for passing them at the same time as I(profile) has been deprecated.
- I(aws_access_key), I(aws_secret_key) and I(security_token) will be made mutually
exclusive with I(profile) after 2022-06-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found at U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
- Only the 'user_agent' key is used for boto modules. See U(http://boto.cloudhackers.com/en/latest/boto_config_tut.html#boto)
for more boto configuration.
type: dict
purge_users:
default: false
description:
- Detach users which not included in users list
required: false
type: bool
purge_policy:
default: false
description:
- Detach policy which not included in managed_policy list
required: false
type: bool
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- Not used by boto 2 based modules.
- 'Note: The CA Bundle is read ''module'' side and may need to be explicitly copied
from the controller if not run locally.'
type: path
aws_access_key:
aliases:
- ec2_access_key
- access_key
description:
- C(AWS access key). If not set then the value of the C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY)
or C(EC2_ACCESS_KEY) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(aws_access_key) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
aws_secret_key:
aliases:
- ec2_secret_key
- secret_key
description:
- C(AWS secret key). If not set then the value of the C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY),
or C(EC2_SECRET_KEY) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(aws_secret_key) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
managed_policy:
description:
- A list of managed policy ARNs or friendly names to attach to the role. To embed
an inline policy, use M(iam_policy).
required: false
type: list
security_token:
aliases:
- aws_security_token
- access_token
description:
- C(AWS STS security token). If not set then the value of the C(AWS_SECURITY_TOKEN)
or C(EC2_SECURITY_TOKEN) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(security_token) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
validate_certs:
default: true
description:
- When set to "no", SSL certificates will not be validated for communication with
the AWS APIs.
type: bool
debug_botocore_endpoint_logs:
default: 'no'
description:
- Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action"
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the aws_resource_action callback to output to total list made
during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also
be used.
type: bool
group:
contains:
arn:
description: the Amazon Resource Name (ARN) specifying the group
sample: arn:aws:iam::1234567890:group/testgroup1
type: str
create_date:
description: the date and time, in ISO 8601 date-time format, when the group
was created
sample: '2017-02-08T04:36:28+00:00'
type: str
group_id:
description: the stable and unique string identifying the group
sample: AGPAIDBWE12NSFINE55TM
type: str
group_name:
description: the friendly name that identifies the group
sample: testgroup1
type: str
path:
description: the path to the group
sample: /
type: str
description: dictionary containing all the group information
returned: success
type: complex
users:
contains:
arn:
description: the Amazon Resource Name (ARN) specifying the user
sample: arn:aws:iam::1234567890:user/test_user1
type: str
create_date:
description: the date and time, in ISO 8601 date-time format, when the user
was created
sample: '2017-02-08T04:36:28+00:00'
type: str
path:
description: the path to the user
sample: /
type: str
user_id:
description: the stable and unique string identifying the user
sample: AIDAIZTPY123YQRS22YU2
type: str
user_name:
description: the friendly name that identifies the user
sample: testgroup1
type: str
description: list containing all the group members
returned: success
type: complex