By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

MalformedPolicyDocument error on PutUserPolicy while running ansible script to generate IAM user along with policy

0

I am trying to run an ansible script to generate an IAM user along with an attached policy allowing access to an S3 bucket. I am able to create a policy on the console using the same policy document, and have confirmed that the document is valid json. However I still see the error below. The document itself looks like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SAImgBucket",
            "Effect": "Allow",
            "Action": [
                 "s3:*"
            ],
            "Resource": [
                 "arn:aws:s3:::<s3-bucket-name>"
            ]
        }
    ]
}

The ansible task is as below.

- name: create sa IAM user permissions
      community.aws.iam_policy:
       iam_type: user
       iam_name: "{{ sa_app_username }}"
       policy_name: "{{ sa_app_username }}-policy"
       state: present
       policy_json: " {{ lookup( 'template', 'template/sa_iam_policy.json.j2') | to_json }} "

Any suggestions on how to further debug or address this are greatly appreciated.

botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the PutUserPolicy operation: Syntax errors in policy.
[DEPRECATION WARNING]: The skip_duplicates behaviour has caused confusion and will be disabled by default in Ansible 2.14. This feature will be removed from community.aws in a release after 2022-06-01. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
fatal: [localhost]: FAILED! => changed=false 
  boto3_version: 1.18.18
  botocore_version: 1.21.18
  error:
    code: MalformedPolicyDocument
    message: Syntax errors in policy.
    type: Sender
  invocation:
    module_args:
      aws_access_key: null
      aws_ca_bundle: null
      aws_config: null
      aws_secret_key: null
      debug_botocore_endpoint_logs: false
      ec2_url: null
      iam_name: sa-103
      iam_type: user
      policy_document: null
      policy_json: '"{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"SAImgBucket\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                 \"s3:*\"\n            ],\n            \"Resource\": [\n                 \"arn:aws:s3:::<bucket-name>\"\n            ]\n        }\n    ]\n}\n"'
      policy_name: sa-103-policy
      profile: null
      region: null
      security_token: null
      skip_duplicates: null
      state: present
      validate_certs: true
  msg: 'An error occurred (MalformedPolicyDocument) when calling the PutUserPolicy operation: Syntax errors in policy.'
  response_metadata:
    http_headers:
      connection: close
      content-length: '279'
      content-type: text/xml
      date: Tue, 15 Feb 2022 17:45:05 GMT
      x-amzn-requestid: fce8efa1-7a86-468f-9481-264db52db33d
    http_status_code: 400
    request_id: fce8efa1-7a86-468f-9481-264db52db33d
    retry_attempts: 0
Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
AWS-User-9282743
asked 2 years ago439 views
1 Answer
1
Accepted Answer

Hi,

Thanks for reaching out to us! I see that you're concerned about receiving a MalformedPolicyDocument error while trying to call the PutUserPolicy API using an Ansible script.

While the content of the policy looks fine, from the error logs you have shared, it looks like you might be passing an additional set of quotes before and after the JSON script (as shown below).

'"{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Sid": "yourSid",\n "Effect": "Allow",\n "Action": [\n "s3:*"\n ],\n "Resource": [\n "arn:aws:s3:::<s3-bucket-name>"\n ]\n }\n ]\n}\n"'

The reason I say this is because, when I pass the JSON script as expected, CloudTrail records the JSON script without the additional quotation mark ' before and after the JSON script as shown below:

"{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Sid": "yourSid",\n "Effect": "Allow",\n "Action": [\n "s3:*"\n ],\n "Resource": [\n "arn:aws:s3:::<s3-bucket-name>"\n ]\n }\n ]\n} "

Could you please check for any additional quotes in your policy syntax when you pass the policy as a document sa_iam_policy.json.j2?

Please let us know if you continue to run into any such issues.

Note: As a reminder, I wanted to request that you not share any specific details on your resources over this platform. All questions and answers posted to re:Post are public. You should open a support case if your question involves sensitive information.

References:

AWS
SUPPORT ENGINEER
Sumukhi_P
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content