cloudera.cloud.iam_user module – Create, update, or remove CDP IAM Users

Note

This module is part of the cloudera.cloud collection (version 3.3.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cloudera.cloud.

To use it in a playbook, specify: cloudera.cloud.iam_user.

New in cloudera.cloud 3.3.0

Synopsis

  • Create, update, and remove Cloudera Data Platform IAM Users.

  • Manage user role and resource role assignments.

Parameters

Parameter

Comments

access_key

string

If provided, the Cloudera on cloud API will use this value as its access key.

If not provided, the API will attempt to use the value from the environment variable CDP_ACCESS_KEY_ID.

Required if private_key is provided.

Mutually exclusive with credentials_path.

credentials_path

string

If provided, the Cloudera on cloud API will use this value as its credentials path.

If not provided, the API will attempt to use the value from the environment variable CDP_CREDENTIALS_PATH.

Default: "~/.cdp/credentials"

debug

aliases: debug_endpoints

boolean

If true, the module will capture the Cloudera on cloud HTTP log and return it in the sdk_out and sdk_out_lines fields.

Choices:

  • false ← (default)

  • true

email

string

The email address for the user.

Required when creating a new user (state=present).

Can be used to identify an existing user for updates or deletion.

If both email and user_id are provided, email takes precedence for lookup.

endpoint

aliases: endpoint_url, url

string

The Cloudera on cloud API endpoint to use.

If not provided, the API will attempt to use the value from the environment variable CDP_ENDPOINT_URL.

Mutually exclusive with endpoint_region.

endpoint_region

aliases: cdp_endpoint_region, cdp_region, region

string

Specify the Cloudera on cloud API endpoint region.

See Cloudera Control Plane regions for more information.

If not provided, the API will attempt to use the value from the environment variable CDP_REGION.

default is an alias for the us-west-1 region.

Mutually exclusive with endpoint.

Choices:

  • "default"

  • "us-west-1" ← (default)

  • "eu-1"

  • "ap-1"

endpoint_tls

aliases: verify_endpoint_tls, verify_tls, verify_api_tls

boolean

Verify the TLS certificates for the Cloudera on cloud API endpoint.

Choices:

  • false

  • true ← (default)

first_name

string

The user’s first name.

groups

list / elements=string

List of groups the user belongs to.

Groups must already exist before adding users to them.

Use the cloudera.cloud.iam_group module to create groups first.

http_agent

aliases: agent_header

string

The HTTP user agent to use for Cloudera on cloud API requests.

Default: "cloudera.cloud"

identity_provider_user_id

aliases: idp_user_id

string

The identity provider user ID for the user.

This ID must match the NameId attribute value in the SAML response.

If not provided, defaults to the email address (common for most SAML providers).

Only used when creating a new user.

last_name

string

The user’s last name.

private_key

string

If provided, the Cloudera on cloud API will use this value as its private key.

If not provided, the API will attempt to use the value from the environment variable CDP_PRIVATE_KEY.

Required if access_key is provided.

profile

string

If provided, the Cloudera on cloud API will use this value as its profile.

If not provided, the API will attempt to use the value from the environment variable CDP_PROFILE.

Default: "default"

purge

boolean

Flag to replace roles and resource_roles with their specified values.

If True, any roles or resource roles not specified will be removed.

Choices:

  • false ← (default)

  • true

resource_roles

list / elements=dictionary

A list of resource role assignments.

resource

aliases: resourceCrn, resource_crn

string / required

The resource CRN for the rights assignment.

role

aliases: resourceRoleCrn, resource_role_crn

string / required

The resource role CRN to be assigned.

roles

list / elements=string

A single role or list of roles assigned to the user.

The role must be identified by its full CRN.

saml_provider_name

aliases: saml_provider

string

The name or CRN of the SAML provider the user will use for login.

If not provided, the default identity provider will be used automatically.

state

string

The state of the user.

Choices:

  • "present" ← (default)

  • "absent"

strict

aliases: strict_errors

boolean

Legacy CDPy SDK error handling.

Choices:

  • false ← (default)

  • true

user_id

aliases: user

string

The user ID or CRN of the user to manage.

Can be used to identify an existing user for updates or deletion.

Either user_id or email must be provided.

If both email and user_id are provided, email takes precedence for lookup.

workload_password

aliases: password

string

The workload password for the user.

This will be the user’s password in all Environments they have access to.

The password plaintext is not stored.

Only applicable when creating or updating a user (state=present).

This parameter is optional and only set if provided.

Examples

# Note: These examples do not set authentication details.

# Create a user (identity_provider_user_id defaults to email)
- cloudera.cloud.iam_user:
    email: user@example.com
    first_name: John
    last_name: Doe
    saml_provider_name: my-saml-provider

# Create a user with explicit identity provider user ID
- cloudera.cloud.iam_user:
    email: user@example.com
    identity_provider_user_id: user123
    first_name: John
    last_name: Doe
    saml_provider_name: my-saml-provider

# Create a user and assign to existing groups (groups must exist first)
- cloudera.cloud.iam_user:
    email: user@example.com
    groups:
      - developers
      - admins

# Create a user with a workload password
- cloudera.cloud.iam_user:
    email: user@example.com
    first_name: John
    last_name: Doe
    workload_password: "MySecurePassword123!"
    saml_provider_name: my-saml-provider

# Delete a user by user_id
- cloudera.cloud.iam_user:
    state: absent
    user_id: crn:cdp:iam:us-west-1:altus:user:example-user-id

# Delete a user by email
- cloudera.cloud.iam_user:
    state: absent
    email: user@example.com

# Assign roles to an existing user
- cloudera.cloud.iam_user:
    user_id: user@example.com
    roles:
      - crn:cdp:iam:us-west-1:altus:role:PowerUser

# Assign resource roles to a user
- cloudera.cloud.iam_user:
    user_id: user@example.com
    resource_roles:
      - resource: crn:cdp:environments:us-west-1:altus:environment:dev-env
        role: crn:cdp:iam:us-west-1:altus:resourceRole:EnvironmentUser

# Replace resource roles for a user
- cloudera.cloud.iam_user:
    user_id: user@example.com
    resource_roles:
      - resource: crn:cdp:environments:us-west-1:altus:environment:prod-env
        role: crn:cdp:iam:us-west-1:altus:resourceRole:EnvironmentAdmin
    purge: true

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

sdk_out

string

Returns the captured CDP SDK log.

Returned: when supported

sdk_out_lines

list / elements=string

Returns a list of each line of the captured CDP SDK log.

Returned: when supported

user

dictionary

The information about the User

Returned: always

creation_date

string

The date when this user record was created.

Returned: on success

Sample: "2020-07-06T12:24:05.531000+00:00"

crn

string

The CRN of the user.

Returned: on success

email

string

The user’s email address.

Returned: on success

Sample: "user@example.com"

first_name

string

The user’s first name.

Returned: on success

groups

list / elements=string

List of Group CRNs the user belongs to.

Returned: on success

last_name

string

The user’s last name.

Returned: on success

resource_assignments

list / elements=dictionary

List of Resource-to-Role assignments that are associated with the user.

Returned: on success

resource_crn

string

The CRN of the resource granted the rights of the role.

Returned: on success

resource_role_crn

string

The CRN of the resource role.

Returned: on success

roles

list / elements=string

List of Role CRNs assigned to the user.

Returned: on success

status

string

The status of the user.

Returned: on success

Sample: "ACTIVE"

workload_username

string

The username used in all the workload clusters of the user.

Returned: on success

Authors

  • Ronald Suplina (@rsuplina)