Vh`vdZdZdZddlZddlmZddlmZddlmZddlm Z dd lm Z dd lm Z dd lm Z dd lm Z dd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZGddeZej<ddZdZ dZ!dZ"dZ#ej<d d!Z$ej<d"d#Z%ej<d$d%Z&ej<d&d'Z'ej<d(d)Z(ejRd*d+Z*d,Z+d-Z,d.Z-d/Z.d0Z/d1Z0ejRd2d3Z1ej<d4ejdd5g6d7Z3ejhd8d9Z5d:Z6ej<d;d<Z7d=Z8d>Z9e:d?k(re9yy)@a --- module: iam_role version_added: 1.0.0 version_added_collection: community.aws short_description: Manage AWS IAM roles description: - Manage AWS IAM roles. author: - "Rob White (@wimnat)" options: path: description: - The path of the role. - For more information about IAM paths, see the AWS IAM identifiers documentation U(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). - Updating the path on an existing role is not currently supported and will result in a warning. - O(path_prefix) and O(prefix) were added as aliases in release 7.2.0. type: str aliases: ["prefix", "path_prefix"] name: description: - The name of the role. - >- Note: Role names are unique within an account. Paths (O(path)) do B(not) affect the uniqueness requirements of O(name). For example it is not permitted to have both C(/Path1/MyRole) and C(/Path2/MyRole) in the same account. - O(role_name) was added as an alias in release 7.2.0. required: true type: str aliases: ["role_name"] description: description: - Provides a description of the role. type: str boundary: description: - The ARN of an IAM managed policy to use to restrict the permissions this role can pass on to IAM roles/users that it creates. - Boundaries cannot be set on Instance Profiles, as such if this option is specified then O(create_instance_profile) must be V(false). - This is intended for roles/users that have permissions to create new IAM objects. - For more information on boundaries, see U(https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). aliases: [boundary_policy_arn] type: str assume_role_policy_document: description: - The trust relationship policy document that grants an entity permission to assume the role. - This parameter is required when O(state=present). type: json managed_policies: description: - A list of managed policy ARNs, or friendly names. - To remove all policies set O(purge_policies=true) and O(managed_policies=[]). - To embed an inline policy, use M(amazon.aws.iam_policy). aliases: ['managed_policy'] type: list elements: str max_session_duration: description: - The maximum duration (in seconds) of a session when assuming the role. - Valid values are between 1 and 12 hours (3600 and 43200 seconds). type: int purge_policies: description: - When O(purge_policies=true) any managed policies not listed in O(managed_policies) will be detatched. type: bool aliases: ['purge_policy', 'purge_managed_policies'] default: true state: description: - Create or remove the IAM role. default: present choices: [ present, absent ] type: str create_instance_profile: description: - If no IAM instance profile with the same O(name) exists, setting O(create_instance_profile=True) will create an IAM instance profile along with the role. - This option has been deprecated and will be removed in a release after 2026-05-01. The M(amazon.aws.iam_instance_profile) module can be used to manage instance profiles. - Defaults to V(True) type: bool delete_instance_profile: description: - When O(delete_instance_profile=true) and O(state=absent) deleting a role will also delete an instance profile with the same O(name) as the role, but only if the instance profile is associated with the role. - Only applies when O(state=absent). - This option has been deprecated and will be removed in a release after 2026-05-01. The M(amazon.aws.iam_instance_profile) module can be used to manage instance profiles. - Defaults to V(False) type: bool wait_timeout: description: - How long (in seconds) to wait for creation / update to complete. default: 120 type: int wait: description: - When O(wait=True) the module will wait for up to O(wait_timeout) seconds for IAM role creation before returning. default: True type: bool extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules - amazon.aws.tags - amazon.aws.boto3 a # Note: These examples do not set authentication details, see the AWS Guide for details. - name: Create a role with description and tags amazon.aws.iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file','policy.json') }}" description: This is My New Role tags: env: dev - name: "Create a role and attach a managed policy called 'PowerUserAccess'" amazon.aws.iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file','policy.json') }}" managed_policies: - arn:aws:iam::aws:policy/PowerUserAccess - name: Keep the role created above but remove all managed policies amazon.aws.iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file','policy.json') }}" managed_policies: [] - name: Delete the role amazon.aws.iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file', 'policy.json') }}" state: absent a iam_role: description: Dictionary containing the IAM Role data. returned: success type: complex contains: path: description: The path to the role. type: str returned: always sample: / role_name: description: The friendly name that identifies the role. type: str returned: always sample: myrole role_id: description: The stable and unique string identifying the role. type: str returned: always sample: ABCDEFF4EZ4ABCDEFV4ZC arn: description: The Amazon Resource Name (ARN) specifying the role. type: str returned: always sample: "arn:aws:iam::1234567890:role/mynewrole" create_date: description: The date and time, in ISO 8601 date-time format, when the role was created. type: str returned: always sample: "2016-08-14T04:36:28+00:00" assume_role_policy_document: description: - The policy that grants an entity permission to assume the role. - | Note: the case of keys in this dictionary are no longer converted from CamelCase to snake_case. This behaviour changed in release 8.0.0. type: dict returned: always sample: { 'statement': [ { 'action': 'sts:AssumeRole', 'effect': 'Allow', 'principal': { 'service': 'ec2.amazonaws.com' }, 'sid': '' } ], 'version': '2012-10-17' } assume_role_policy_document_raw: description: - | Note: this return value has been deprecated and will be removed in a release after 2026-05-01. RV(iam_role.assume_role_policy_document) and RV(iam_role.assume_role_policy_document_raw) now use the same format. type: dict returned: always sample: { 'statement': [ { 'action': 'sts:AssumeRole', 'effect': 'Allow', 'principal': { 'service': 'ec2.amazonaws.com' }, 'sid': '' } ], 'version': '2012-10-17' } version_added: 5.3.0 attached_policies: description: A list of dicts containing the name and ARN of the managed IAM policies attached to the role. type: list elements: dict returned: always sample: [ { 'policy_arn': 'arn:aws:iam::aws:policy/PowerUserAccess', 'policy_name': 'PowerUserAccess' } ] contains: policy_arn: description: The Amazon Resource Name (ARN) specifying the managed policy. type: str sample: "arn:aws:iam::123456789012:policy/test_policy" policy_name: description: The friendly name that identifies the policy. type: str sample: test_policy description: description: A description of the role. type: str returned: always sample: "This is My New Role" max_session_duration: description: The maximum duration (in seconds) of a session when assuming the role. type: int returned: always sample: 3600 role_last_used: description: Contains information about the last time that an IAM role was used. type: dict returned: always sample: { "last_used_date": "2023-11-22T21:54:29+00:00", "region": "us-east-2" } contains: last_used_date: description: The date and time, in ISO 8601 date-time format that the role was last used. type: str returned: always region: description: The name of the Amazon Web Services Region in which the role was last used. type: str returned: always tags: description: role tags type: dict returned: always sample: '{"Env": "Prod"}' N)validate_aws_arn)AnsibleIAMError)IAMErrorHandler) add_role_to_iam_instance_profile)$convert_managed_policy_names_to_arns)create_iam_instance_profile)delete_iam_instance_profile) get_iam_role)list_iam_instance_profiles)list_iam_role_attached_policies)normalize_iam_role)%remove_role_from_iam_instance_profile)validate_iam_identifiers)AnsibleAWSModule)compare_policies)AWSRetry)ansible_dict_to_boto3_tag_list)boto3_tag_list_to_ansible_dict)compare_aws_tagsc eZdZy)AnsibleIAMAlreadyExistsErrorN)__name__ __module__ __qualname__g/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/amazon/aws/plugins/modules/iam_role.pyrr+srrzwait for role creationc~|s|ryt|d}||z}|jd}|j||d|y)N role_exists)Delay MaxAttempts) WaiterConfigRoleName)min get_waiterwait)client check_mode role_namer' wait_timeoutdelay max_attemptswaiters rwait_iam_existsr//sLT  a E5(L   } -F KK$\Brc|sy|ry|D]4}tjd|d|j||d6y)NFTzattach policy z to roler$ PolicyArn aws_retry)rcommon_error_handlerattach_role_policy)r(r)policies_to_attachr* policy_arns rattach_policiesr8>sV ( nS,,~j\-RSTZTmTmn*   rc|sy|ry|D]4}tjd|d|j||d6y)NFTzdetach policy z from roler1)rdeletion_error_handlerdetach_role_policy)r(r)policies_to_remover*policys rremove_policiesr>KsV $ nS..xz/RSTZTmTmn&D   rct||}|D]4}tjd|d|j||d6y)Nzdelete policy z embedded in roleT)r$ PolicyNamer3)get_inline_policy_listrr:delete_role_policy)r(r*current_inline_policiesr=s rremove_inline_policiesrDXsS4VYG) uZ..xGX/YZ[a[t[tu6T  rct}|jjdxsd|d<|jjd|d<|jjd|d<|jjd|jjd|d <|jjd |jjd |d <|jjd |jjd |d <|jjd't|jjd|d<|S)Npath/Pathnamer$assume_role_policy_documentAssumeRolePolicyDocument description Descriptionmax_session_durationMaxSessionDurationboundaryPermissionsBoundarytagsTags)dictparamsgetr)modulerUs rgenerate_create_paramsrX`s VF]]&&v.5#F6N**62F:)/):):;X)YF %& }}'3 & 1 1- @} }}/0<'-}}'8'89O'P#$ }}$0(. (9(9*(E$% }} ,7 8I8I&8QRv Mrz create rolec|jr|jdt|}|jdddi|}t ||d}|S)zi Perform the Role creation. Assumes tests for the role existing have already been performed. Tchangedr3r$r)r) exit_jsonrX create_role_get_role_with_backoff)rWr(rUroles rcreate_basic_roler`qsZ & #F +F 6   7 7 7D "&&*< =D Krz"update assume role policy for rolecv|t|tj|sy|ry|j||dy)NFT)r$PolicyDocumentr3)rjsonloadsupdate_assume_role_policy)r(r)r*target_assumed_policycurrent_assumed_policys rupdate_role_assumed_policyrhsE$,<=SUYU_U_`uUv,w $$iH]im$n rzupdate description for rolecB|||k(ry|ry|j||dy)NFT)r$rMr3 update_role)r(r)r*target_descriptioncurrent_descriptions rupdate_role_descriptionrns6!%8r8) r(r)r*managed_policiespurge_policiescurrent_attached_policiesr="current_attached_policies_arn_listr<r6r[s rupdate_managed_policiesrs!@ RLe)f&&*=)f&)f !&6q&9&A?@3GWCXX/=+2-.5W1XXG,  vz;MyY YG  vz;MyY YG N-*gs Bc |j}|jjd}|jjd}|jjd}|jjd}|jjd} |jjd} |jjd} |jd} |jd } |jd }|jd ijd d }|jdg}t||||r'|j d|jdd|dd}|t |||| | |z}|t ||||| z}|t||||| z}|t|||||z}|t|||| |z}|S)NrJrLrNrFrP purge_tagsrRrKrMrOrQPermissionsBoundaryArnr{rSz:iam_role doesn't support updating the path: current path 'rHz', requested path ''F) r)rUrVupdate_role_pathwarnupdate_role_tagsrhrnrrr)rWr(r*r_r)assumed_policyrLdurationrFr}rrRrgrmrqr~ current_tagsr[s rupdate_basic_rolers""J]]&&'DEN--##M2K}}  !78H ==  V $D!==,,Z8""<0J ==  V $D"XX&@A((=1xx 45#'88,A2#F#J#JKceg#h 88FB'L D$7 HRXIYHZZmnrmsst u G  ItZQ]^^G )&*iYoppG &vz9kSfggG / IxYijjG / I';=YG Nrc6|j}|jjd}|jjd}|jjd}|jjd}|jjd} | r t|| } d} t ||} | t ||} t |||||d} nt|||| } t ||||||r! | t||||z} t |||||| t||j|| |z} t |||||t ||} t||| d <t| d } |j| | y#t$r|jd|d YwxYw) Nr'r+rFrrFTprofile z' already exists and will not be updatedAttachedPolicies) _v7_compat)r[iam_role)r)rUrVrr r`r/rcreate_instance_profilesrrrr r r\) rWr(r*create_instance_profiler)r'r+rFrrr[r_ camel_roles rcreate_or_update_rolers""J ==  V $D==$$^4L ==  V $D]]&&'78N}}(();<?HXYG  *D | 0 It\J#FFItD It\J W / ItT TG FJ 4 N &vv/@/@)M]_mnnGFJ 4F  *D>vyQD #DT:J Wz:, W KK(9+-TU V Ws0 E77FFct|}tfd|Dryt|}|rtdd|ry|xsd}t||it |y) Nr_c3.K|] }|dk(yw)InstanceProfileNameNr).0pr*s r z+create_instance_profiles..5s HQ1 " #y 0 HsF)rIrz already existsTrG)r anyrrr)r(r)r*rF role_profiles named_profiles ` rrr1so.vIFM H- HH.vIFM*Xi[+PQQ ;3D 4<$VY B rct||}|sy|ry|D])}|d}t||||s||k(st||+y)zsRemoves the role from instance profiles and deletes the instance profile if delete_instance_profile is set rFTrN)r rr )r(r)r*delete_instance_profileinstance_profilesprofile profile_names rremove_instance_profilesrGs] 36 J %>45 -flIN&  9 $ ' =>rz delete rolect||}|y|ryt||||t|||gdt|||j d|y)NFT)r3r$)r rrrD delete_role)r(r)r*delete_profilesr_s r destroy_roler]s\  *D | VZOLFJ 2tD69-  : rzget role NoSuchEntity)catch_extra_error_codesc.|j|dy)Nr|Role)get_roler(rIs rr^r^ss OOTO"6*rz&list attached inline policies for rolec.|j|ddS)NT)r$r3 PolicyNames)list_role_policiesrs rrArAys  $ $dd $ CM RRrc<|y||jdk(ry|ry y)NFrHT)rV)r(r)r_rFs rrr~s, | txx rzset tags for rolec|yt|}t|||\}}|s|sy|ry|r|j||d|r|j|t |dy)NF)rT)r$TagKeysr3)r$rSr3)rr untag_roletag_roler)r(r)r*new_tagsr existing_tags tags_to_addtags_to_removes rrrsp2=AM"2=(Wa"bK +9nPTU1OP[1\hlm rcV|jjdrg|jjddur|jdt|jjdds|jd|jjd r7|jjd }|d ks|d kDr|jd t d |jjd|jjd}|r|j|yy)NrPrFzOWhen using a boundary policy, `create_instance_profile` must be set to `false`.)msgiam)servicezBoundary policy must be an ARNrNiizLmax_session_duration must be between 1 and 12 hours (3600 and 43200 seconds)r_rIrF)rIrF)rUrV fail_jsonrr)rWrNidentifier_problems rvalidate_paramsrs }}$ ==  6 7u D   !r  s 1 1* =uM   !A  B }}/0%}}001GH $ &*>*F   !o  p1V]]&&v.V]]5F5Fv5N/0rcttddgdtdddgtd td d gd td tdddgdtd tddgtd td tddddgtddgtddtddtdd }t|dddgfgd}|jdd d!"|jj d#|jd$d d!"|jj d%|jd&d d!"t ||j d'tj(}|jj d}|jj d)}|jj d#}|dn|}|jj d%xsd*} |dk(rt||||y|dk(r+t||j||}|j|+yy#t$r}|j|Yd}~yd}~wwxYw),Nstrr*T)typealiasesrequired path_prefixprefix)rrrc)rlistmanaged_policy)rrelementsintpresentabsent)rchoicesdefaultboundary_policy_arnbool purge_policypurge_managed_policies)rrrrT resource_tags)rrx)rr)rIrFrJrrNstaterLrPrrrrRrr'r+rrJ) argument_spec required_ifsupports_check_modezIn a release after 2026-05-01 iam_role.assume_role_policy_document_raw will no longer be returned. Since release 8.0.0 assume_role_policy_document has been returned with the same format as iam_role.assume_role_policy_document_rawz 2026-05-01z amazon.aws)datecollection_namerzIn a release after 2026-05-01 the 'create_instance_profile' option will be removed. The amazon.aws.iam_instance_profile module can be used to manage instance profiles instead.rzIn a release after 2026-05-01 the 'delete_instance_profile' option will be removed. The amazon.aws.iam_instance_profile module can be used to manage and delete instance profiles instead.r)retry_decoratorrIFrZ)rTr deprecaterUrVrr(rjittered_backoffrrr)r\rfail_json_aws_error) rrWr(rr*create_profiledelete_profiler[es rmainrsm u{md C u}h&? @$(f$564D3EPUV!u- 8'rDrXr`rhrnrrrvr:ryrrrrrrrrr^list_error_handlerrArrrrrrrrrsYl \ >~ @ TSSdh__P^cVi\XWPffX ? &%%&>? @    "&%%m45&&%%&JKL&%%&CDE&%%&PQR&%%&KLCMC(''(NO6P6 @"J(;V,>,('' 67*&%%j1N3CD+E2+$##$LMSNS &%%&9:;&1&B&J zFr