Try SpotterRemoved in 3.0.0
Reason:The iam module is based upon a deprecated version of the AWS SDK. | Alternative:Use M(community.aws.iam_user), M(community.aws.iam_group), M(community.aws.iam_role), M(community.aws.iam_policy) and M(community.aws.iam_managed_policy) modules.
Manage IAM users, groups, roles and keys
| "added in version" 1.0.0 of community.aws"
Authors: Jonathan I. Davila (@defionscode), Paul Seiffert (@seiffert)
Install with ansible-galaxy collection install community.aws:==2.6.1
collections:
- name: community.aws
version: 2.6.1Allows for the management of IAM users, user API keys, groups, roles.
# Basic user creation example
- name: Create two new IAM users with API keys
community.aws.iam:
iam_type: user
name: "{{ item }}"
state: present
password: "{{ temp_pass }}"
access_key_state: create
loop:
- jcleese
- mpython
# Advanced example, create two new groups and add the pre-existing user
# jdavila to both groups.
- name: Create Two Groups, Mario and Luigi
community.aws.iam:
iam_type: group
name: "{{ item }}"
state: present
loop:
- Mario
- Luigi
register: new_groups
- name: Update user
community.aws.iam:
iam_type: user
name: jdavila
state: update
groups: "{{ item.created_group.group_name }}"
loop: "{{ new_groups.results }}"
# Example of role with custom trust policy for Lambda service
- name: Create IAM role with custom trust relationship
community.aws.iam:
iam_type: role
name: AAALambdaTestRole
state: present
trust_policy:
Version: '2012-10-17'
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
name:
description:
- Name of IAM resource to create or identify.
required: true
type: str
path:
default: /
description:
- When creating or updating, specify the desired path of the resource.
- If I(state=present), it will replace the current path to match what is passed in
when they do not match.
type: str
state:
choices:
- present
- absent
- update
description:
- Whether to create, delete or update the IAM resource. Note, roles cannot be updated.
required: true
type: str
groups:
description:
- A list of groups the user should belong to. When I(state=update), will gracefully
remove groups not listed.
elements: str
type: list
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use.
- For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
- The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
- See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
- The C(ec2_region) alias has been deprecated and will be removed in a release after
2024-12-01
- Support for the C(EC2_REGION) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
profile:
aliases:
- aws_profile
description:
- A named AWS profile to use for authentication.
- See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
- The C(AWS_PROFILE) environment variable may also be used.
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
iam_type:
choices:
- user
- group
- role
description:
- Type of IAM resource.
required: true
type: str
new_name:
description:
- When I(state=update), will replace I(name) with I(new_name) on IAM resource.
type: str
new_path:
description:
- When I(state=update), will replace the path with new_path on the IAM resource.
type: str
password:
description:
- When I(type=user) and either I(state=present) or I(state=update), define the users
login password.
- Note that this will always return 'changed'.
type: str
key_count:
default: 1
description:
- When I(access_key_state=create) it will ensure this quantity of keys are present.
type: int
access_key:
aliases:
- aws_access_key_id
- aws_access_key
- ec2_access_key
description:
- AWS access key ID.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
may also be used in decreasing order of preference.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
- The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
AWS botocore SDK.
- The I(ec2_access_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
secret_key:
aliases:
- aws_secret_access_key
- aws_secret_key
- ec2_secret_key
description:
- AWS secret access key.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
variables may also be used in decreasing order of preference.
- The I(secret_key) and I(profile) options are mutually exclusive.
- The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
the AWS botocore SDK.
- The I(ec2_secret_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to connect to instead of the default AWS endpoints. While this can be used
to connection to other AWS-compatible services the amazon.aws and community.aws
collections are only tested against AWS.
- The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
order of preference.
- The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
a release after 2024-12-01.
- Support for the C(EC2_URL) environment variable has been deprecated and will be
removed in a release after 2024-12-01.
type: str
trust_policy:
description:
- The inline (JSON or YAML) trust policy document that grants an entity permission
to assume the role.
- Mutually exclusive with I(trust_policy_filepath).
type: dict
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- The C(AWS_CA_BUNDLE) environment variable may also be used.
type: path
session_token:
aliases:
- aws_session_token
- security_token
- aws_security_token
- access_token
description:
- AWS STS session token for use with temporary credentials.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
variables may also be used in decreasing order of preference.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
the parameter being renamed from I(security_token) to I(session_token) in release
6.0.0.
- The I(security_token), I(aws_security_token), and I(access_token) aliases have been
deprecated and will be removed in a release after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
has been deprecated and will be removed in a release after 2024-12-01.
type: str
access_key_ids:
description:
- A list of the keys that you want affected by the I(access_key_state) parameter.
elements: str
type: list
validate_certs:
default: true
description:
- When set to C(false), SSL certificates will not be validated for communication with
the AWS APIs.
- Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
setting I(aws_ca_bundle) instead.
type: bool
update_password:
choices:
- always
- on_create
default: always
description:
- When to update user passwords.
- I(update_password=always) will ensure the password is set to I(password).
- I(update_password=on_create) will only set the password for newly created users.
type: str
access_key_state:
choices:
- create
- remove
- active
- inactive
- Create
- Remove
- Active
- Inactive
description:
- When type is user, it creates, removes, deactivates or activates a user's access
key(s). Note that actions apply only to keys specified.
type: str
trust_policy_filepath:
description:
- The path to the trust policy document that grants an entity permission to assume
the role.
- Mutually exclusive with I(trust_policy).
type: str
debug_botocore_endpoint_logs:
default: false
description:
- Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the C(aws_resource_action) callback to output to total list made
during a playbook.
- The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
type: bool
role_result:
description: the IAM.role dict returned by Boto
returned: if iam_type=role and state=present
sample:
arn: arn:aws:iam::A1B2C3D4E5F6:role/my-new-role
assume_role_policy_document: '...truncated...'
create_date: '2017-09-02T14:32:23Z'
path: /
role_id: AROAA1B2C3D4E5F6G7H8I
role_name: my-new-role
type: str
roles:
description: a list containing the name of the currently defined roles
returned: if iam_type=role and state=present
sample:
- my-new-role
- my-existing-role-1
- my-existing-role-2
- my-existing-role-3
- my-existing-role-...
type: list