community / community.aws / 1.1.0 / module / iam Manage IAM users, groups, roles and keys | "added in version" 1.0.0 of community.aws" Authors: Jonathan I. Davila (@defionscode), Paul Seiffert (@seiffert)community.aws.iam (1.1.0) — module
Install with ansible-galaxy collection install community.aws:==1.1.0
collections: - name: community.aws version: 1.1.0
Allows for the management of IAM users, user API keys, groups, roles.
# Basic user creation example - name: Create two new IAM users with API keys community.aws.iam: iam_type: user name: "{{ item }}" state: present password: "{{ temp_pass }}" access_key_state: create loop: - jcleese - mpython
# Advanced example, create two new groups and add the pre-existing user # jdavila to both groups. - name: Create Two Groups, Mario and Luigi community.aws.iam: iam_type: group name: "{{ item }}" state: present loop: - Mario - Luigi register: new_groups
- name: Update user community.aws.iam: iam_type: user name: jdavila state: update groups: "{{ item.created_group.group_name }}" loop: "{{ new_groups.results }}"
# Example of role with custom trust policy for Lambda service - name: Create IAM role with custom trust relationship community.aws.iam: iam_type: role name: AAALambdaTestRole state: present trust_policy: Version: '2012-10-17' Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com
name: description: - Name of IAM resource to create or identify. required: true type: str path: default: / description: - When creating or updating, specify the desired path of the resource. - If I(state=present), it will replace the current path to match what is passed in when they do not match. type: str state: choices: - present - absent - update description: - Whether to create, delete or update the IAM resource. Note, roles cannot be updated. required: true type: str groups: description: - A list of groups the user should belong to. When I(state=update), will gracefully remove groups not listed. elements: str type: list region: aliases: - aws_region - ec2_region description: - The AWS region to use. - For global services such as IAM, Route53 and CloudFront, I(region) is ignored. - The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used. - See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region). - The C(ec2_region) alias has been deprecated and will be removed in a release after 2024-12-01 - Support for the C(EC2_REGION) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str profile: aliases: - aws_profile description: - A named AWS profile to use for authentication. - See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). - The C(AWS_PROFILE) environment variable may also be used. - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key) and I(security_token) options. type: str iam_type: choices: - user - group - role description: - Type of IAM resource. required: true type: str new_name: description: - When I(state=update), will replace I(name) with I(new_name) on IAM resource. type: str new_path: description: - When I(state=update), will replace the path with new_path on the IAM resource. type: str password: description: - When I(type=user) and either I(state=present) or I(state=update), define the users login password. - Note that this will always return 'changed'. type: str key_count: default: 1 description: - When I(access_key_state=create) it will ensure this quantity of keys are present. type: int access_key: aliases: - aws_access_key_id - aws_access_key - ec2_access_key description: - AWS access key ID. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables may also be used in decreasing order of preference. - The I(aws_access_key) and I(profile) options are mutually exclusive. - The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_access_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). type: dict secret_key: aliases: - aws_secret_access_key - aws_secret_key - ec2_secret_key description: - AWS secret access key. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variables may also be used in decreasing order of preference. - The I(secret_key) and I(profile) options are mutually exclusive. - The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_secret_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str endpoint_url: aliases: - ec2_url - aws_endpoint_url - s3_url description: - URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS. - The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing order of preference. - The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_URL) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str trust_policy: description: - The inline (JSON or YAML) trust policy document that grants an entity permission to assume the role. - Mutually exclusive with I(trust_policy_filepath). type: dict aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - The C(AWS_CA_BUNDLE) environment variable may also be used. type: path session_token: aliases: - aws_session_token - security_token - aws_security_token - access_token description: - AWS STS session token for use with temporary credentials. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variables may also be used in decreasing order of preference. - The I(security_token) and I(profile) options are mutually exclusive. - Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with the parameter being renamed from I(security_token) to I(session_token) in release 6.0.0. - The I(security_token), I(aws_security_token), and I(access_token) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables has been deprecated and will be removed in a release after 2024-12-01. type: str access_key_ids: description: - A list of the keys that you want affected by the I(access_key_state) parameter. elements: str type: list validate_certs: default: true description: - When set to C(false), SSL certificates will not be validated for communication with the AWS APIs. - Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider setting I(aws_ca_bundle) instead. type: bool update_password: choices: - always - on_create default: always description: - When to update user passwords. - I(update_password=always) will ensure the password is set to I(password). - I(update_password=on_create) will only set the password for newly created users. type: str access_key_state: choices: - create - remove - active - inactive - Create - Remove - Active - Inactive description: - When type is user, it creates, removes, deactivates or activates a user's access key(s). Note that actions apply only to keys specified. type: str trust_policy_filepath: description: - The path to the trust policy document that grants an entity permission to assume the role. - Mutually exclusive with I(trust_policy). type: str debug_botocore_endpoint_logs: default: false description: - Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action") API calls made during a task, outputing the set to the resource_actions key in the task results. Use the C(aws_resource_action) callback to output to total list made during a playbook. - The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used. type: bool
role_result: description: the IAM.role dict returned by Boto returned: if iam_type=role and state=present sample: arn: arn:aws:iam::A1B2C3D4E5F6:role/my-new-role assume_role_policy_document: '...truncated...' create_date: '2017-09-02T14:32:23Z' path: / role_id: AROAA1B2C3D4E5F6G7H8I role_name: my-new-role type: str roles: description: a list containing the name of the currently defined roles returned: if iam_type=role and state=present sample: - my-new-role - my-existing-role-1 - my-existing-role-2 - my-existing-role-3 - my-existing-role-... type: list